-
August 25th, 2003, 05:23 PM
#1
Junior Member
Unidentified worm - Trying to identify.
Symptoms include full IP scans of all subnets via ICMP.
Installs the following in HKCU/Run: and HKLM/Run:
winsct32.exe
winmgm32.exe
prpcui.exe
pntask.exe
loadqm.exe
The only hit I've gotten on any of these is on wingmg32.exe claiming to be a variant of SOBIG.
Any assistance in identifying appreicated, but it appears to be jumping from machine to machine.
-
August 25th, 2003, 05:30 PM
#2
Junior Member
well after looking up those files,
loadqm.exe is The MSN Queue Manager Loader is installed with MSN Explorer and MSN Messenger,
pntask.exe came up with Backdoor.Lala.C
http://securityresponse.symantec.com...or.lala.c.html
not sure about winsct32.exe tho
prpcui.exe is Intel(R) SpeedStep(TM) technology User Interface
http://www.reger24.de/prozesse/prpcui.exe.html
\"it is better to stay silent and appear stupid then to speak and remove all doubt\"
-
August 25th, 2003, 05:31 PM
#3
Heard roumers about an "ICMP" worm today at the office, didn't give a name to it, other than that it wasn't in yet, but they wheren't sure.
Keep me posted.
With all the subtlety of an artillery barrage / Follow blindly, for the true path is sketchy at best. .: Bring OS X to x86!:.
Og ingen kan minnast dei linne drag i dronningas andlet den fagre dag Då landet her kvilte i heilag fred og alle hadde kjærleik å elske med.
-
August 25th, 2003, 05:34 PM
#4
WINMGM32.exe
Existence of the file WINMGM32.EXE in the Windows directory, file size 65,536 bytes, Indicates infection of the Sobig Virus worm. This usually comes to you from Big Boss, big@boss.com.
http://www.antivirusscans.com/Winmgm32.htm
winsct32.exe
didn't find anything on winsct32.exe
loadqm.exe
loadqm - loadqm.exe - Process Information
Process File: loadqm or loadqm.exe
Process Name: MSN Queue Manager Loader
Description: The MSN Queue Manager Loader is installed with MSN Explorer and MSN Messenger. It can somtimes use a lot of system resources
Common Errors: N/A
System Process: No
http://www.liutilities.com/products/...ibrary/loadqm/
pntask.exe
Backdoor.Lala.C is a Trojan Horse that steals confidential information from a compromised computer. It is a variant of Backdoor.Lala that installs one additional file, detected as Backdoor.Trojan, to allow for remote access. The existence of the file Pntask.exe is an indication of a possible infection.
http://securityresponse.symantec.com...or.lala.c.html
prpcui.exe
http://www.reger24.de/prozesse/prpcui.exe.html
-
August 25th, 2003, 05:35 PM
#5
I searched Symantec. It came up with SOBIG and Backdoor.Lala.C
Mad Beaver
-
August 26th, 2003, 02:51 AM
#6
Junior Member
Any quick-fix for eradicating these two? Since they constant spread, once removed it can reoccur. If a machine is infected and the MS Patch is applied, will the MS Patch remove the registry keys and the .EXE's that are pulled down?
Also, we block TFTP at the firewall, but somehow the executables still get pulled to these machines. What port is being used to pull down the payload?
-
August 26th, 2003, 04:17 AM
#7
Junior Member
Here's the fix we're implementing:
Via our network login script, we're first pushing the Microsoft RPC/DCOM Patch, then
deleting the registry keys via WSCRIPT (can supply the VBS by request), then
delete the C:\winnt\system32\wins directory and its contents then
we validate the fix(s) by running McAfee STINGER.EXE to scan all local disks.
That should prevent future infection, prevents recurrence by wacking the executables and registry entries.
All-in-all we could have avoided this by 1) having desktops patched and 2) putting desktop policies in place to eliminate installation of software locally (non-admin account).
-
August 27th, 2003, 04:20 PM
#8
Originally posted here by cruzlanman
Here's the fix we're implementing:
Via our network login script, we're first pushing the Microsoft RPC/DCOM Patch, then
deleting the registry keys via WSCRIPT (can supply the VBS by request), then
delete the C:\winnt\system32\wins directory and its contents then
we validate the fix(s) by running McAfee STINGER.EXE to scan all local disks.
Great. But why are you nuking the c:\winnt\system32\wins dir?
That should prevent future infection, prevents recurrence by wacking the executables and registry entries.
This will only prevent infections based on the RPC/DCOM hole (ie Blaster/LoveSAN). It doesn't protect you against other virusses (like SoBig). SoBig-F doesn't (mis)use any bug or exploit to infect your system.
All-in-all we could have avoided this by 1) having desktops patched and 2) putting desktop policies in place to eliminate installation of software locally (non-admin account).
I agree with 1 but not 2. Please note that there are virusses that use bugs in the OS. Some of these bugs will yield a higher privilege (LOCALSYSTEM) when exploited and thus cannot be stopped using this type of policy.
Oliver's Law:
Experience is something you don't get until just after you need it.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|