[Dshield] virus that disable regedit/msconfig?

Diamond King mercyful_fated at yahoo.com
Fri Oct 29 06:53:22 GMT 2004


Hi again.

   After further investigation, we found out
ntsysman.exe in Task Manager and when we tried to kill
the process, it will restart again and again. So, we
decided to search for ntsysman.exe and syslog32.exe in
the local drives and delete it. After reboot,
everything went back to normal state. 

--- allan.vanleeuwen at orangemail.nl wrote:

> Hi Brian
> 
> A lot of the rdbot / sdbot variants kill regedit and
> msconfig processes
> every 5 seconds or so.
> You can evade this by renaming your regedit.exe to
> something else. It does
> mean however that you did not completely clean the
> infection yet, there
> should be at least 1 more process running that is
> causing this. A boot into
> safe mode will most likely also allow you to use the
> regedit utility.
> 
> Hope it helps ...
> 
> Allan
> 
> -----Original Message-----
> From: Diamond King [mailto:mercyful_fated at yahoo.com]
> 
> Sent: Thursday, October 28, 2004 7:51 AM
> To: list at lists.dshield.org
> Subject: [Dshield] virus that disable
> regedit/msconfig?
> 
> hello people. Recently, there are some viruses
> attack on our network. For
> your information, our gateway is a Linux machine
> equipped with Squid and
> shorewall firewall. Last week, the Squid started to
> act weird and as i
> browse through the cache.log file, i can see many 
> "Request header is too
> large (24575 bytes)" logs on it. This made the squid
> performance slow down. 
> 
> We went to scan the user's PC with trendmicro's
> sysclean utility and spyware
> doctor. Most of the infected user are unable to
> start it's antivirus
> software. By the way, the infected user are
> attacking port 135,139 and 445.
> It also attacking the port 80 and 443( i reckon
> that's the reason why Squid
> is slow). Sysclean found WORM_SDBOT.SE while spyware
> doctor detected at
> least a hundred of spywares. 
> 
> One of the symptom of this virus is we are unable to
> run regedit,msconfig as
> well. It popup a few second then went off. Same
> thing happened while we
> tried to patch their Windows. After scanning it, the
> infected PC seems to
> stop spreading but i still can see few http port
> request on ip address
> 192.x.x.x. Weird thing. However, after cleaning
> sdbot.se, we still cant
> access regedit/msconfig or patch the system. Can
> someone please advice me
> what can be done to resolve this issue? thanks for
> the time.
> 
> brian
> 
> 
> 		
> __________________________________
> Do you Yahoo!?
> Yahoo! Mail Address AutoComplete - You start. We
> finish.
> http://promotions.yahoo.com/new_mail
> _______________________________________________
> DShield and the Internet Storm Center are sponsored
> by the SANS Institute.
> To learn more about current SANS training, see
> http://www.sans.org .
> 
> _______________________________________________
> send all posts to list at lists.dshield.org To change
> your subscription options
> (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
>
===========================================================
> De informatie opgenomen in dit bericht kan
> vertrouwelijk zijn en is alleen
> bestemd voor de geadresseerde. Indien u dit bericht
> onterecht ontvangt,
> wordt u verzocht de inhoud niet te gebruiken en de
> afzender direct te
> informeren door het bericht te retourneren. Hoewel
> Orange maatregelen heeft
> genomen om virussen in deze email of attachments te
> voorkomen, dient u ook
> zelf na te gaan of virussen aanwezig zijn aangezien
> Orange niet
> aansprakelijk is voor computervirussen die
> veroorzaakt zijn door deze
> email..
> 
> The information contained in this message may be
> confidential and is
> intended to be only for the addressee. Should you
> receive this message
> unintentionally, please do not use the contents
> herein and notify the sender
> immediately by return e-mail. Although Orange has
> taken steps to ensure that
> this email and attachments are free from any virus,
> you do need to verify
> the possibility of their existence as Orange can
> take no responsibility for
> any computer virus which might be transferred by way
> of this email.
>
===========================================================
> 
> 
> _______________________________________________
> DShield and the Internet Storm Center are sponsored
> by the SANS Institute.
> To learn more about current SANS training, see
> http://www.sans.org .
> 
> _______________________________________________
> send all posts to list at lists.dshield.org
> To change your subscription options (or
> unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
> 



		
__________________________________
Do you Yahoo!?
Yahoo! Mail - Helps protect you from nasty viruses.
http://promotions.yahoo.com/new_mail



More information about the list mailing list