[unisog] Virus Identification / Eradication assistance

Brad Coburn coburn at tcnj.edu
Wed Feb 9 17:11:58 GMT 2005

Hi all. I'm posting this on behalf of others in my organization who are 
fighting a Windows 2000 malware issue that has suddenly popped up on 
campus and is almost debilitating in its effects on workstations and 
possibly the network. This is all third hand for me, so please excuse 
the vague nature of my descriptions.

The issue came up suddenly last week. Reports and observations suggest a 
spyware-like infestation and maybe virus-like effects that can render a 
machine unusable due to performance issues or corruption.

McAfee didn't pick it up, and it took alot of coaxing to get them to 
even begin talking to us to help idenfity the problem. I don't know if 
they can identify it even yet.

Propagation seems to be via the network. We think we're seeing related 
traffic, and we have blocked Windows File Sharing in response but with 
no effect.

Infected machines included those that have Service Pack 4. It seems 
there may be a few security patches that render workstations immune, and 
these may be broken by SP4, though they can be subsequently fixed with 
additional post-SP4 patches.

Identifying attributes that seemed to be common between machines are:
- The spyware Golden Retriever is on most or all of the machines.
- Processes related to Winstat, Winstatkeep, Winform and Winformkeep are 
found on most or all machines.
- The virus downloader.ps is in most or all of the machine.
- Something places itself "into every instance of 'run' in the 
registry", and registers itself as a service and a legacy driver.
- Malware processes are randomly named, but usually start with a w.
- 100% erradication seems necessary, or the machine will become infested 
immediately after reboot.

It appears we have not been able to erradicate it effectively, and 
re-ghosting machines is a tremendous problem. The reports I hear are 
that no one else is seeing this.

Anyone have any ideas about what this could be, and would anyone be 
willing to talk with the support folks about specific experiences?

Thanks for bearing with me, and I appreciate any help you can offer.


| Brad Coburn         coburn at tcnj.edu                lT |
| Manager, Communications Technologies                  |
| Information Technology, The College of New Jersey     |
| Phone:609-771-2319      Fax:609-637-5377 (alt: 5100)  |
| Mailing: PO Box 7718    Shipping:2000 Pennington Rd   |
|            Ewing, NJ 08628-0718                    +--|
|                                                    |  |

More information about the unisog mailing list