-
August 19th, 2004, 06:39 AM
#1
Junior Member
ntsysmgr.exe?
ntsysmgr.exe?
1.
I have encountered a virus/worm/trojan named ntsysmgr.exe. This v/w/t self replicates at startup, disables regedit, safemode, cmd, config, anti-virus, auto-downloads. Resets the admin user and pass for local. Tries to connect to network through port 345. I have it isolated on a subnet of six comps (xp and 2000).
The anti-virus software used is sophos 3.84 and it will not detect this thing.
Has anybody encountered this before? If so do you know what virus this is and how to remove it.
2.
I am writing a server side batch file to locate and disable the network connection if file is found. Anyone knows a very safe way of disconnecting a comp from a network through a batch file. (ipconfig /release) Will it work.
3.
Would you like me to upload the file so you can take a look?
-
August 19th, 2004, 06:48 AM
#2
Google doesnt fin anything on it ? Are you sure its called that ? Maybe its a new virus, report it to an Online AV company....
-
August 19th, 2004, 06:57 AM
#3
From your desrcription, it sounds like a little more than just a little virus. I have yet to run across anything of that nature that changes passwords. Where is this file residing?
What are you using to see the file? Is it running as a service? Have you checked the file properties?
Then I would also have to ask, if it disables your AV, then I would suppose that your AV wouldn't detect it??
You can't boot into safe mode?? I think you have a bunch of things going on...
Rooted??
-
August 19th, 2004, 07:02 AM
#4
Would you like me to upload the file so you can take a look?
Yes please as A ZIP or RAR if you could..
and have you submitted this file to Sophos? you never know your luck
Cheers
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
-
August 19th, 2004, 07:07 AM
#5
Banned
Yes, definitely submit it. It sounds like one heck of a virus that I don't want to cross my path...
-
August 19th, 2004, 07:13 AM
#6
Junior Member
groovicus
Where is this file residing?
system32
What are you using to see the file?
Explorer and powerdesk.
Is it running as a service?
Process
You can't boot into safe mode??
When I try to boot into safe mode, it will automaticaly reboot after 5 secs.
Und3ertak3r
I will zip the file and upload when i get to work
It just appeared 2 days ago. I have been chasing it down and isolating it. I have not had the time to submit to Sophos. Now I have time since its isolated. It has been driving me crazy
-
August 19th, 2004, 10:52 AM
#7
maybe a vatient of SDBOT ? ( AKA W32.HLLW.Gaobot ) ??
See Trend Micro
" And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes
-
August 19th, 2004, 11:03 AM
#8
Yes, as IKnowNot has said, that is most likely what it is. The same thing happened to a user at my facility. The only difference is that it used 445 to replicate via windows shares. Check that port number and verify if it really is 345.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
August 19th, 2004, 11:32 AM
#9
Junior Member
IKnowNot
Thank you, that looks like it. Now I have to wait until sophos updates.
from trend micro
Discovered: Aug. 18, 2004
I am still going to capture it and upload.
thehorse13
The port that it is going after is 345. I will check the logs again but I doubt the port changed..
Thank you all for your help.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|