ipcNL.exe
Results 1 to 5 of 5

Thread: ipcNL.exe

  1. #1
    Member
    Join Date
    Mar 2003
    Posts
    50

    ipcNL.exe

    Hey all,

    Does anyone know wht this ipcNL.exe application does in windows OS............. I was hit by this "W32.Valla.2048" virus...it was in ipcNL.exe file.......my AV caught this and cleaned the file. So I was wondering what this application really does.....it was found in "winnt\system32" dir.

    I did a google search..........but all came up with the virus info.....nothing about the ipcNL application.

    I am using 2k pro.


    Thx in advance

  2. #2
    Senior Member
    Join Date
    Aug 2003
    Posts
    205
    I think this file is associated with Muma virus

    ALIAS: Worm.Win32.Muma, HackTool.Win32.Hucline, Mumu, W32/Muma, BAT/Muma.A, BAT/Passer.A

    see following URL:
    http://www.f-secure.com/v-descs/muma.shtml


    Here's a quote from url:

    "This new variant copies only two files, one of them is a zip archive containing all the files belonging to the worm, specifically: "


    NTSERVICE.BAT
    IPCNL.EXE

  3. #3
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    there is no valid windows file named ipcNL.exe. this file is part of the process certain worms use to spread (like MUMA).
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  4. #4
    HeadShot Master N1nja Cybr1d's Avatar
    Join Date
    Jul 2003
    Location
    Boston, MA
    Posts
    1,840
    Bat/Mumu-B
    Aliases
    HackTool.Win32.Hucline, Bat/Muma-A

    Type
    Batch file worm

    Detection
    A virus identity file (IDE) file which provides protection is available now from the Latest virus identities section, and is incorporated into the August 2003 (3.72) release of Sophos Anti-Virus.

    Sophos has received several reports of this worm from the wild.

    Note: Sophos has been detecting Bat/Mumu-B since 10:08 GMT on 18 June, but has issued this new IDE to improve detection.


    Description
    Bat/Mumu-B, like Bat/Mumu-A, is a network worm that consists of a collection of hacking tools and scripts used to discover and exploit common configuration problems of the IPC$ share on Windows computers.

    Vulnerable systems are found by scanning random IP addresses. The worm spreads by copying the files ntservice.bat and ipcnl.exe to the Windows system32 folder of the remote machine.

    Bat/Mumu-B uses the Trojan Troj/Hacline-A to scan remote machines.

    The worm starts the Trojan Troj/PcGhost that logs keystrokes and steals passwords and attempts to send them to a preconfigured email account at certain intervals.

    Bat/Mumu-B also attempts to weaken the security of the computer by creating an account in the local admin group with the username admin and the password KKKKKKK.

    Bat/Mumu-B mainly consists of the following BAT files:

    10.BAT
    HACK.BAT
    IPC.BAT
    MUMA.BAT
    NEAR.BAT
    RANDOM.BAT
    REPLACE.BAT
    START.BAT
    SS.BAT

    with TXT files:
    IPCPASS.TXT
    NWIZE.IN_
    NTSERVICE.INI
    SPACE.TXT
    TIHUAN.TXT

    and also contains the following clean executables:
    PSEXEC.EXE (A networking utility)
    REP.EXE (A string manipulation utility)
    PCMSG.DLL (A legitimate utility associated with logging keystrokes).
    NTSERVICE.EXE (A utility to start services under Windows NT).


    Recovery
    Please follow the instructions for removing worms.
    Bat/Mumu-B exploits weak network security. If Bat/Mumu-B has spread over your network you should check permissions and passwords, particularly domain administrator passwords, on your network.





    http://www.sophos.com/virusinfo/analyses/batmumub.html

  5. #5
    Member
    Join Date
    Mar 2003
    Posts
    50
    Thanks for ur comments...
    I was thinking that file is needed for the IPC$ share......since my AV program did not delete this file (or am I suppose to delete it manually?). However it shows that the file is clean.

    Do you guys think I should delete this file?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •