-
August 3rd, 2005, 09:42 PM
#1
Anyone Seen This
I had a site call me telling me there was something wrong with the computer.
They have an app support specialist connect to them remotely...this is where I think it came in.
as the tech knew what the virus was as soon as things started acting up.
said he had "seen it before"
Machine had an expired AV program on it (dell...3 month)...but was fully patched.
Machine does have a share used by the app....but is behind a router and has the XP firewall on.
Tech identified it as W32.Licum.
I have never seen anything like this...Symantec has minimal info.
ALL exes are infected, cannot run norton...cannot run anything for that mater.
Network associates seems to have more info....
http://vil.nai.com/vil/content/v_134857.htm
This is a VERY nasty virus as I could not see it in the usual places......
Heads up...
Any tools that you think may help.
I need an updated AV on CD to scan the drive....I DONOT want this disk in my machine.
I have to go get my kid...but will be back!!!!
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
-
August 3rd, 2005, 11:05 PM
#2
My first tool of choice now is TrendMicro's Sysclean.. (dont forget to d/l the pattern file) run in safe mode or from a PE enviroment CD life is easy..
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
-
August 3rd, 2005, 11:29 PM
#3
I love the whole virus naming scheme.
Could it be this one from Trend Micro :
TROJ_TENGADL.A ?
" And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes
-
August 3rd, 2005, 11:30 PM
#4
for this type of infection I have found using boot cds to be a HUGE help. they run in a protected enviroment, and have full access to all files on the drive.
http://www.frozentech.com/content/li...ort=&showonly=
has a list of cds, many of which are made just for this type of thing.
-
August 4th, 2005, 02:17 AM
#5
Thanks for the info everyone
Yes it is one and the same...many names
It has infected ALL exes...I cannot run any program.
Came in the open share....
There is nothing in the reg, and Hijack this has found nothing either.
I need to scan the disk but I am very wary of slaving it into my computer
and also it is a sata drive...but so is my new machine....it just....I know nothing about it.
Do I just plug it into the other connector...?
and it becomes a slave...I am severly lacking on my new hardware skills......
I am looking at boot disks....I need a AV to run on Knoppix???
Any other help or links are greatly appreciated
Mlf
How people treat you is their karma- how you react is yours-Wayne Dyer
-
August 4th, 2005, 02:22 AM
#6
Look for a boot disk that comes with AV loaded on it. Many of them have preloaded tools for this.
-
August 4th, 2005, 02:37 AM
#7
Any suggestions??
I am looking at BART right now
Thanks
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
-
August 4th, 2005, 03:20 AM
#8
Well......
I found muliple dl.exe files and deleted....
I then cleared all temp files and was able to reinstall
Symantec AV.....and it errored out a bit....
but it ran.....before it got infected...the updates were already on the machine
but I have it scanning and cleaning as we speak
wooo hooo!!!!!
I appreciate all the suggestions and am gonna read up on these boot disks.......and get me one for the future
Im gonna rescan in safe mode...
F#$k.what a pain
so far has found and cleaned 352 files...all exes....and counting
Jeez..
A taste of things to come?????
Many thanks to this great forum...and the members that responded
MLF
edit>I tried to hand out greenies...but I still have intermittent problems with APs...sometimes they work...sometimes they dont
How people treat you is their karma- how you react is yours-Wayne Dyer
-
August 4th, 2005, 07:43 AM
#9
Hijackthis won't help you, mainly because there is no startup ket for the virus, it has piggy-backed onto legit exes, like explorer. I'v seen this kind of virulent behaviour before, its not pretty, but its not subtle either, an AV should have picked it up asap, but if your already infected, then theres not much I can recomend. Cleaning out all those binaries is very hard.
With all the subtlety of an artillery barrage / Follow blindly, for the true path is sketchy at best. .: Bring OS X to x86!:.
Og ingen kan minnast dei linne drag i dronningas andlet den fagre dag Då landet her kvilte i heilag fred og alle hadde kjærleik å elske med.
-
August 4th, 2005, 09:25 AM
#10
I havent had a chance to followup on this particular bug..
A trick that is used with a number of worms is to have a link saved in the registry to automaticly update/download the worm executable.. While the information on this one isnt sujesting this.. it is probable.. a network aware virus, that auto updates sort of goes back a while (couple of years) was it Brazil or Gayporn or something of that or of that ilk..
so once the files are clean you will need to do a registry clean (oh F%%%)
I am the greatest supporter of remove and destroy.. but your case is moving toward the wipe it clean dept.
I format and reinstall more than ever.. our company policy is now 2hrs max per job.. and a virus must be cleaned in less than an hour..
AND that is Bench time not Tech time.. it has nothing to do with costs to customer they are paying more ..it is a saving to managementt.. it is also to be seen as being more effecient...
Heck I am now picking up some great spare parts for home as a result of this..
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|