[unisog] Virus Identification / Eradication assistance

Dave Ellingsberg dave.ellingsberg at csu.mnscu.edu
Wed Feb 9 18:53:38 GMT 2005

using regedt32 set rights on the run key to read only for everyone[admin
and system also, by everyone I mean everyone on the box]! to install
most software you will have to give system the right to rwx this key and
then remove it after installing.  Locking down this key will prevent
most trojans and bots and virual infections from happening!

>>> coburn at tcnj.edu 2/9/2005 11:11:58 AM >>>

Hi all. I'm posting this on behalf of others in my organization who are

fighting a Windows 2000 malware issue that has suddenly popped up on 
campus and is almost debilitating in its effects on workstations and 
possibly the network. This is all third hand for me, so please excuse 
the vague nature of my descriptions.

The issue came up suddenly last week. Reports and observations suggest
spyware-like infestation and maybe virus-like effects that can render a

machine unusable due to performance issues or corruption.

McAfee didn't pick it up, and it took alot of coaxing to get them to 
even begin talking to us to help idenfity the problem. I don't know if

they can identify it even yet.

Propagation seems to be via the network. We think we're seeing related

traffic, and we have blocked Windows File Sharing in response but with

no effect.

Infected machines included those that have Service Pack 4. It seems 
there may be a few security patches that render workstations immune,
these may be broken by SP4, though they can be subsequently fixed with

additional post-SP4 patches.

Identifying attributes that seemed to be common between machines are:
- The spyware Golden Retriever is on most or all of the machines.
- Processes related to Winstat, Winstatkeep, Winform and Winformkeep
found on most or all machines.
- The virus downloader.ps is in most or all of the machine.
- Something places itself "into every instance of 'run' in the 
registry", and registers itself as a service and a legacy driver.
- Malware processes are randomly named, but usually start with a w.
- 100% erradication seems necessary, or the machine will become
immediately after reboot.

It appears we have not been able to erradicate it effectively, and 
re-ghosting machines is a tremendous problem. The reports I hear are 
that no one else is seeing this.

Anyone have any ideas about what this could be, and would anyone be 
willing to talk with the support folks about specific experiences?

Thanks for bearing with me, and I appreciate any help you can offer.


| Brad Coburn         coburn at tcnj.edu                lT |
| Manager, Communications Technologies                  |
| Information Technology, The College of New Jersey     |
| Phone:609-771-2319      Fax:609-637-5377 (alt: 5100)  |
| Mailing: PO Box 7718    Shipping:2000 Pennington Rd   |
|            Ewing, NJ 08628-0718                    +--|
|                                                    |  |
unisog mailing list
unisog at lists.sans.org 

More information about the unisog mailing list