New Virus

[dodd3256]

I have found a variant of this on my mother-in laws computer (go figure) same scenery, but this had also implanted itself as a system service. I had re-booted into safe mode to remove the service and all registry changes.

But in regular mode, could not get into control panel to see if I could start shutting off ports to see if I could get it to stop. Also I could not open programs from start had ot go through the run window. Seemed to have made several programs all with different names. So if I moved it to virus vault it would just make another program.

These were intstalled in the windows directory. I am going to try a recovery tomorrow.

[|3lack|ce]

Ok, tell the class please - what filenames and locations, what service name, etc. as you find them? Some of us want to be curious without having to tear apart the offending program... (that's why we love Nihil and Ric-o) .

[OverdueSpy]

Ok. If you are running ISS you should be able to find the first infected system by highlighting the tag name, right click and select "What are the sources of this event?". Then all you have to do is filter the "Earliest Event" and wallah, you have the first offender. And now you can give us the details.

If I had to guess on what little we know, I would go with a MyTob worm variant (a.k.a)MyDoom. At least MyTob meets all of the conditions described so far.

[dodd3256]

The service was called of all thing 'Network Security Service'. The file was ipcw.exe, sitting in the Windows directory. Service name was a bunch of gibberish.

But then there were a bunch of other small exe files sitting in the windows directory that would fire off as you removed them, so ina s ense one would take anothers place. They were dated back to about March 9th, so it was probably going on since then.