Results 1 to 8 of 8

Thread: Unidentified worm - Trying to identify.

  1. #1
    Junior Member
    Join Date
    Feb 2003
    Posts
    5

    Question Unidentified worm - Trying to identify.

    Symptoms include full IP scans of all subnets via ICMP.

    Installs the following in HKCU/Run: and HKLM/Run:

    winsct32.exe
    winmgm32.exe
    prpcui.exe
    pntask.exe
    loadqm.exe

    The only hit I've gotten on any of these is on wingmg32.exe claiming to be a variant of SOBIG.

    Any assistance in identifying appreicated, but it appears to be jumping from machine to machine.

  2. #2
    Junior Member
    Join Date
    Aug 2003
    Posts
    28
    well after looking up those files,

    loadqm.exe is The MSN Queue Manager Loader is installed with MSN Explorer and MSN Messenger,

    pntask.exe came up with Backdoor.Lala.C

    http://securityresponse.symantec.com...or.lala.c.html

    not sure about winsct32.exe tho

    prpcui.exe is Intel(R) SpeedStep(TM) technology User Interface

    http://www.reger24.de/prozesse/prpcui.exe.html

    \"it is better to stay silent and appear stupid then to speak and remove all doubt\"


  3. #3
    Now, RFC Compliant! Noia's Avatar
    Join Date
    Jan 2002
    Posts
    1,210
    Heard roumers about an "ICMP" worm today at the office, didn't give a name to it, other than that it wasn't in yet, but they wheren't sure.

    Keep me posted.
    With all the subtlety of an artillery barrage / Follow blindly, for the true path is sketchy at best. .:Bring OS X to x86!:.
    Og ingen kan minnast dei linne drag i dronningas andlet den fagre dag Då landet her kvilte i heilag fred og alle hadde kjærleik å elske med.

  4. #4
    Senior Member
    Join Date
    Aug 2002
    Posts
    547
    WINMGM32.exe
    Existence of the file WINMGM32.EXE in the Windows directory, file size 65,536 bytes, Indicates infection of the Sobig Virus worm. This usually comes to you from Big Boss, big@boss.com.

    http://www.antivirusscans.com/Winmgm32.htm

    winsct32.exe
    didn't find anything on winsct32.exe


    loadqm.exe

    loadqm - loadqm.exe - Process Information
    Process File: loadqm or loadqm.exe
    Process Name: MSN Queue Manager Loader
    Description: The MSN Queue Manager Loader is installed with MSN Explorer and MSN Messenger. It can somtimes use a lot of system resources
    Common Errors: N/A
    System Process: No

    http://www.liutilities.com/products/...ibrary/loadqm/

    pntask.exe

    Backdoor.Lala.C is a Trojan Horse that steals confidential information from a compromised computer. It is a variant of Backdoor.Lala that installs one additional file, detected as Backdoor.Trojan, to allow for remote access. The existence of the file Pntask.exe is an indication of a possible infection.

    http://securityresponse.symantec.com...or.lala.c.html

    prpcui.exe

    http://www.reger24.de/prozesse/prpcui.exe.html

  5. #5
    Senior Member MadBeaver's Avatar
    Join Date
    Jul 2003
    Location
    Bath, Maine
    Posts
    252
    I searched Symantec. It came up with SOBIG and Backdoor.Lala.C
    Mad Beaver

  6. #6
    Junior Member
    Join Date
    Feb 2003
    Posts
    5
    Any quick-fix for eradicating these two? Since they constant spread, once removed it can reoccur. If a machine is infected and the MS Patch is applied, will the MS Patch remove the registry keys and the .EXE's that are pulled down?

    Also, we block TFTP at the firewall, but somehow the executables still get pulled to these machines. What port is being used to pull down the payload?

  7. #7
    Junior Member
    Join Date
    Feb 2003
    Posts
    5
    Here's the fix we're implementing:

    Via our network login script, we're first pushing the Microsoft RPC/DCOM Patch, then
    deleting the registry keys via WSCRIPT (can supply the VBS by request), then
    delete the C:\winnt\system32\wins directory and its contents then
    we validate the fix(s) by running McAfee STINGER.EXE to scan all local disks.

    That should prevent future infection, prevents recurrence by wacking the executables and registry entries.

    All-in-all we could have avoided this by 1) having desktops patched and 2) putting desktop policies in place to eliminate installation of software locally (non-admin account).

  8. #8
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Originally posted here by cruzlanman
    Here's the fix we're implementing:

    Via our network login script, we're first pushing the Microsoft RPC/DCOM Patch, then
    deleting the registry keys via WSCRIPT (can supply the VBS by request), then
    delete the C:\winnt\system32\wins directory and its contents then
    we validate the fix(s) by running McAfee STINGER.EXE to scan all local disks.
    Great. But why are you nuking the c:\winnt\system32\wins dir?


    That should prevent future infection, prevents recurrence by wacking the executables and registry entries.
    This will only prevent infections based on the RPC/DCOM hole (ie Blaster/LoveSAN). It doesn't protect you against other virusses (like SoBig). SoBig-F doesn't (mis)use any bug or exploit to infect your system.


    All-in-all we could have avoided this by 1) having desktops patched and 2) putting desktop policies in place to eliminate installation of software locally (non-admin account).
    I agree with 1 but not 2. Please note that there are virusses that use bugs in the OS. Some of these bugs will yield a higher privilege (LOCALSYSTEM) when exploited and thus cannot be stopped using this type of policy.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •