Results 1 to 5 of 5

Thread: I got bit by W32.HLLW.Ultimax worm

  1. #1
    Senior Member
    Join Date
    Feb 2002
    Posts
    1,210

    Angry I got bit by W32.HLLW.Ultimax worm

    damn it.. I don't know how.. (it could of been that my son visited some site.. haven't gathered all info yet) I believe my sygate firewall was running and doing it's job but possibly my son allowed the connection he won't admit a thing.. no more internet for him unless I'm right there..

    but I got this worm and it bugged me out for hours today.

    When I rebooted the computer this afternoon I found a dialer that wanted to dial out.
    It was called "innocent virgins" and I used dialguard to capture what connection username
    and password and phone number..

    u/n was PZBPA03YUS@dialco
    p/w was ZPBPA03
    phone number 1-900-226-3768

    now this pissed me off.. I looked in my running processes and found rdvs.exe running.
    reg key in the ...\Windows\CurrentVersion\Run ..

    a scan with trojanhunter and tauscan and norton av corporate edition (with defs from last week) showed nada...

    I did a search on google's usegroups for this innocent virgins dialer and found this posting
    I'll show just a single response (sorry I didn't save the link)

    A friend of mine had this dialer123.exe labeled "Innocent Virgins" on
    het PC 3 weeks ago. It reappeared last Friday. When I cleaned her PC
    *again* I found two trojans running on it. One was
    c:\windows\system\wnmngm1.exe, that left a patch log called
    wnmngm1.lgc claiming to have altered a shockingly long list of Windows
    components:

    urlmon.dll, shlwapi.dll, user.exe, mpr.exe, ole32.dll, ver.dll,
    shell32.dll, msvcrt.dll, wsock32.dll, ws2_32.dll, tapi32.dll,
    secur32.dll, rpcrt4.dll, svrapi.dll, msnet32.dll, rasapi32.dll,
    mswsock.dll, icmp.dll, dhcpsvc.dll, rnaapp.exe

    Furthermore -and even more worrying to her- I found a thing called
    c:\windows\command\top\rundll32.exe that appeared to be a modified
    version of the Serv-U ftp server masquerading as the rundll32 Windows
    component. This thing had left a very similar patch log rundll32.lgc,
    it seems to have modified the original rundll32 component among
    others.

    My friend also had Norton Antivirus with current virus definition
    files. I have posted this same information at a symantec tech support
    newsgroup, hopefully they will take action.

    so then I found the dialer123.exe file and the two wnmngm files.. (i'll zip and attach here)
    and i see that I didn't have a wnmngm1.lgc file but a wnmngm1.dll instead.
    i haven't yet looked within the dll to see any reference to affecting the above mentioned files
    but I'm suspecting that they weren't altered as stated.. one more thing to check.

    and found that symantec just released a new definition file (no wonder i couldn't see it)


    http://securityresponse.symantec.com...w.ultimax.html

    as far as i can see/tell... no files were downloaded..and installed last nite so I'm
    assuming it was a malious site or popup..

    this is the FIRST virus/worm I actually let infect me in all the years of surfing I've done.
    now I know that one can never be sure.. even if you think you have protection.

    edit: btw, I did not find any c:\windows\command\top\rundll32.exe file like mentioned in the thread i found on the usenet.. I'm thinking that either this guy was getting mixed up (to put it nicely) or that this worm has other versions out there..

  2. #2
    Senior Member
    Join Date
    Jan 2002
    Posts
    244

    Re: I got bit by W32.HLLW.Ultimax worm

    Those dialers can disconnect you from your isp and dial their own costly number [lets say $2,50/min]
    Check your isp dialer to see it s still the dialer you made to connect!

    Remove all none yours!
    i m gone,thx everyone for so much fun and good info.
    cheers and good bye

  3. #3
    Junior Member
    Join Date
    Jul 2002
    Posts
    27
    just looked at your post and the link sounds nasty, does your son use MSN messenger or hotmail, i have been recieving dozens of files containing worms from other hotmail users.

    just thought it might be aline of avenue that it might of arrived on, hope your system is ok

    99

  4. #4
    Senior Member
    Join Date
    Feb 2002
    Posts
    1,210
    believe me.. kadeng.. I got rid of that dialer and my isp's dun is ok..

    no, robbie.. he has a lycos account but never gets mail.. or even much spam..

    and my system is just fine, thanks..

    and when i looked in that wnmngm1.dll file.. it had just the number 2

  5. #5
    Senior Member Ouroboros's Avatar
    Join Date
    Nov 2001
    Location
    Superior, WI USA
    Posts
    636
    Or, if it is feasible, call your phone company and tell them to disconnect the long distance service from the line that your computer runs on (assuming you have a regular line and one that is just used for the computer). That way the call can never go through. I had a problem with the same thing not long ago, and the disconnection of long-distance saved me a few times, since I have my modem speaker turned off, and can't tell if it disconnects and redials suddenly.

    Ouroboros
    "entia non sunt multiplicanda praeter necessitatem"

    "entities should not be multiplied beyond necessity."

    -Occam's Razor


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •