damn it.. I don't know how.. (it could of been that my son visited some site.. haven't gathered all info yet) I believe my sygate firewall was running and doing it's job but possibly my son allowed the connection he won't admit a thing.. no more internet for him unless I'm right there..
but I got this worm and it bugged me out for hours today.
When I rebooted the computer this afternoon I found a dialer that wanted to dial out.
It was called "innocent virgins" and I used dialguard to capture what connection username
and password and phone number..
u/n was PZBPA03YUS@dialco
p/w was ZPBPA03
phone number 1-900-226-3768
now this pissed me off.. I looked in my running processes and found rdvs.exe running.
reg key in the ...\Windows\CurrentVersion\Run ..
a scan with trojanhunter and tauscan and norton av corporate edition (with defs from last week) showed nada...
I did a search on google's usegroups for this innocent virgins dialer and found this posting
I'll show just a single response (sorry I didn't save the link)
A friend of mine had this dialer123.exe labeled "Innocent Virgins" on
het PC 3 weeks ago. It reappeared last Friday. When I cleaned her PC
*again* I found two trojans running on it. One was
c:\windows\system\wnmngm1.exe, that left a patch log called
wnmngm1.lgc claiming to have altered a shockingly long list of Windows
urlmon.dll, shlwapi.dll, user.exe, mpr.exe, ole32.dll, ver.dll,
shell32.dll, msvcrt.dll, wsock32.dll, ws2_32.dll, tapi32.dll,
secur32.dll, rpcrt4.dll, svrapi.dll, msnet32.dll, rasapi32.dll,
mswsock.dll, icmp.dll, dhcpsvc.dll, rnaapp.exe
Furthermore -and even more worrying to her- I found a thing called
c:\windows\command\top\rundll32.exe that appeared to be a modified
version of the Serv-U ftp server masquerading as the rundll32 Windows
component. This thing had left a very similar patch log rundll32.lgc,
it seems to have modified the original rundll32 component among
My friend also had Norton Antivirus with current virus definition
files. I have posted this same information at a symantec tech support
newsgroup, hopefully they will take action.
so then I found the dialer123.exe file and the two wnmngm files.. (i'll zip and attach here)
and i see that I didn't have a wnmngm1.lgc file but a wnmngm1.dll instead.
i haven't yet looked within the dll to see any reference to affecting the above mentioned files
but I'm suspecting that they weren't altered as stated.. one more thing to check.
and found that symantec just released a new definition file (no wonder i couldn't see it)
as far as i can see/tell... no files were downloaded..and installed last nite so I'm
assuming it was a malious site or popup..
this is the FIRST virus/worm I actually let infect me in all the years of surfing I've done.
now I know that one can never be sure.. even if you think you have protection.
edit: btw, I did not find any c:\windows\command\top\rundll32.exe file like mentioned in the thread i found on the usenet.. I'm thinking that either this guy was getting mixed up (to put it nicely) or that this worm has other versions out there..