Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Anyone Seen This

  1. #1
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152

    Unhappy Anyone Seen This

    I had a site call me telling me there was something wrong with the computer.

    They have an app support specialist connect to them remotely...this is where I think it came in.
    as the tech knew what the virus was as soon as things started acting up.
    said he had "seen it before"

    Machine had an expired AV program on it (dell...3 month)...but was fully patched.

    Machine does have a share used by the app....but is behind a router and has the XP firewall on.

    Tech identified it as W32.Licum.

    I have never seen anything like this...Symantec has minimal info.

    ALL exes are infected, cannot run norton...cannot run anything for that mater.

    Network associates seems to have more info....

    http://vil.nai.com/vil/content/v_134857.htm

    This is a VERY nasty virus as I could not see it in the usual places......

    Heads up...

    Any tools that you think may help.

    I need an updated AV on CD to scan the drive....I DONOT want this disk in my machine.

    I have to go get my kid...but will be back!!!!

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  2. #2
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    My first tool of choice now is TrendMicro's Sysclean.. (dont forget to d/l the pattern file) run in safe mode or from a PE enviroment CD life is easy..
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  3. #3
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    I love the whole virus naming scheme.

    Could it be this one from Trend Micro :
    TROJ_TENGADL.A ?
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  4. #4
    Senior Member
    Join Date
    May 2003
    Posts
    1,199
    for this type of infection I have found using boot cds to be a HUGE help. they run in a protected enviroment, and have full access to all files on the drive.

    http://www.frozentech.com/content/li...ort=&showonly=

    has a list of cds, many of which are made just for this type of thing.
    Everyone is going to die, I am just as good of a reason as any.

    http://think-smarter.blogspot.com

  5. #5
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    Thanks for the info everyone

    Yes it is one and the same...many names

    It has infected ALL exes...I cannot run any program.

    Came in the open share....

    There is nothing in the reg, and Hijack this has found nothing either.

    I need to scan the disk but I am very wary of slaving it into my computer

    and also it is a sata drive...but so is my new machine....it just....I know nothing about it.

    Do I just plug it into the other connector...?
    and it becomes a slave...I am severly lacking on my new hardware skills......

    I am looking at boot disks....I need a AV to run on Knoppix???

    Any other help or links are greatly appreciated

    Mlf
    How people treat you is their karma- how you react is yours-Wayne Dyer

  6. #6
    Senior Member
    Join Date
    May 2003
    Posts
    1,199
    Look for a boot disk that comes with AV loaded on it. Many of them have preloaded tools for this.
    Everyone is going to die, I am just as good of a reason as any.

    http://think-smarter.blogspot.com

  7. #7
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    Any suggestions??

    I am looking at BART right now

    Thanks

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  8. #8
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    Well......

    I found muliple dl.exe files and deleted....

    I then cleared all temp files and was able to reinstall

    Symantec AV.....and it errored out a bit....

    but it ran.....before it got infected...the updates were already on the machine

    but I have it scanning and cleaning as we speak

    wooo hooo!!!!!

    I appreciate all the suggestions and am gonna read up on these boot disks.......and get me one for the future

    Im gonna rescan in safe mode...

    F#$k.what a pain

    so far has found and cleaned 352 files...all exes....and counting

    Jeez..

    A taste of things to come?????

    Many thanks to this great forum...and the members that responded

    MLF

    edit>I tried to hand out greenies...but I still have intermittent problems with APs...sometimes they work...sometimes they dont
    How people treat you is their karma- how you react is yours-Wayne Dyer

  9. #9
    Now, RFC Compliant! Noia's Avatar
    Join Date
    Jan 2002
    Posts
    1,210
    Hijackthis won't help you, mainly because there is no startup ket for the virus, it has piggy-backed onto legit exes, like explorer. I'v seen this kind of virulent behaviour before, its not pretty, but its not subtle either, an AV should have picked it up asap, but if your already infected, then theres not much I can recomend. Cleaning out all those binaries is very hard.
    With all the subtlety of an artillery barrage / Follow blindly, for the true path is sketchy at best. .:Bring OS X to x86!:.
    Og ingen kan minnast dei linne drag i dronningas andlet den fagre dag Då landet her kvilte i heilag fred og alle hadde kjærleik å elske med.

  10. #10
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    I havent had a chance to followup on this particular bug..

    A trick that is used with a number of worms is to have a link saved in the registry to automaticly update/download the worm executable.. While the information on this one isnt sujesting this.. it is probable.. a network aware virus, that auto updates sort of goes back a while (couple of years) was it Brazil or Gayporn or something of that or of that ilk..

    so once the files are clean you will need to do a registry clean (oh F%%%)

    I am the greatest supporter of remove and destroy.. but your case is moving toward the wipe it clean dept.

    I format and reinstall more than ever.. our company policy is now 2hrs max per job.. and a virus must be cleaned in less than an hour..
    AND that is Bench time not Tech time.. it has nothing to do with costs to customer they are paying more ..it is a saving to managementt.. it is also to be seen as being more effecient...
    Heck I am now picking up some great spare parts for home as a result of this..
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •