Printable View
Symptoms include full IP scans of all subnets via ICMP.
Installs the following in HKCU/Run: and HKLM/Run:
winsct32.exe
winmgm32.exe
prpcui.exe
pntask.exe
loadqm.exe
The only hit I've gotten on any of these is on wingmg32.exe claiming to be a variant of SOBIG.
Any assistance in identifying appreicated, but it appears to be jumping from machine to machine.
well after looking up those files,
loadqm.exe is The MSN Queue Manager Loader is installed with MSN Explorer and MSN Messenger,
pntask.exe came up with Backdoor.Lala.C
http://securityresponse.symantec.com...or.lala.c.html
not sure about winsct32.exe tho
prpcui.exe is Intel(R) SpeedStep(TM) technology User Interface
http://www.reger24.de/prozesse/prpcui.exe.html
:o Heard roumers about an "ICMP" worm today at the office, didn't give a name to it, other than that it wasn't in yet, but they wheren't sure.
Keep me posted.
WINMGM32.exe
Existence of the file WINMGM32.EXE in the Windows directory, file size 65,536 bytes, Indicates infection of the Sobig Virus worm. This usually comes to you from Big Boss, big@boss.com.
http://www.antivirusscans.com/Winmgm32.htm
winsct32.exe
didn't find anything on winsct32.exe
loadqm.exe
loadqm - loadqm.exe - Process Information
Process File: loadqm or loadqm.exe
Process Name: MSN Queue Manager Loader
Description: The MSN Queue Manager Loader is installed with MSN Explorer and MSN Messenger. It can somtimes use a lot of system resources
Common Errors: N/A
System Process: No
http://www.liutilities.com/products/...ibrary/loadqm/
pntask.exe
Backdoor.Lala.C is a Trojan Horse that steals confidential information from a compromised computer. It is a variant of Backdoor.Lala that installs one additional file, detected as Backdoor.Trojan, to allow for remote access. The existence of the file Pntask.exe is an indication of a possible infection.
http://securityresponse.symantec.com...or.lala.c.html
prpcui.exe
http://www.reger24.de/prozesse/prpcui.exe.html
I searched Symantec. It came up with SOBIG and Backdoor.Lala.C
Any quick-fix for eradicating these two? Since they constant spread, once removed it can reoccur. If a machine is infected and the MS Patch is applied, will the MS Patch remove the registry keys and the .EXE's that are pulled down?
Also, we block TFTP at the firewall, but somehow the executables still get pulled to these machines. What port is being used to pull down the payload?
Here's the fix we're implementing:
Via our network login script, we're first pushing the Microsoft RPC/DCOM Patch, then
deleting the registry keys via WSCRIPT (can supply the VBS by request), then
delete the C:\winnt\system32\wins directory and its contents then
we validate the fix(s) by running McAfee STINGER.EXE to scan all local disks.
That should prevent future infection, prevents recurrence by wacking the executables and registry entries.
All-in-all we could have avoided this by 1) having desktops patched and 2) putting desktop policies in place to eliminate installation of software locally (non-admin account).
Great. But why are you nuking the c:\winnt\system32\wins dir?Quote:
Originally posted here by cruzlanman
Here's the fix we're implementing:
Via our network login script, we're first pushing the Microsoft RPC/DCOM Patch, then
deleting the registry keys via WSCRIPT (can supply the VBS by request), then
delete the C:\winnt\system32\wins directory and its contents then
we validate the fix(s) by running McAfee STINGER.EXE to scan all local disks.
This will only prevent infections based on the RPC/DCOM hole (ie Blaster/LoveSAN). It doesn't protect you against other virusses (like SoBig). SoBig-F doesn't (mis)use any bug or exploit to infect your system.Quote:
That should prevent future infection, prevents recurrence by wacking the executables and registry entries.
I agree with 1 but not 2. Please note that there are virusses that use bugs in the OS. Some of these bugs will yield a higher privilege (LOCALSYSTEM) when exploited and thus cannot be stopped using this type of policy.Quote:
All-in-all we could have avoided this by 1) having desktops patched and 2) putting desktop policies in place to eliminate installation of software locally (non-admin account).