March 31st, 2006 03:55 PM
Virus Evades Panda & Kapersky
It looks like I've got a pesky infection on my hands that I can't get to go away.
Yesterday I was checking one of our client's servers, and found that its memory was getting eaten up by many, many multiple update.exe processes that were running in the background. A google search quickly revealed this:
: update or update.exe
update.exe is registered as the W97M.Exedrop downloader. This process usually comes bundled with a virus and itís main role is to do nothing other than download other viruses to your computer. It is a registered security risk and should be removed immediately.
update.exe is also a process belonging to the BargainBuddy advertising program by eXact Advertising LLC. This process monitors your browsing habits and distributes the data back to the author's servers for analysis. This also prompts advertising popups. This program is a registered security risk and should be removed immediately.
So this server already has Panda installed, so I ran a scan. Found 0 infected files. So next I tried online scans -- Housecall wouldn't run for some reason, but I got the Kapersky online scan to run. Interestingly enough, Kapersky found 4 infected files that Panda never caught; however, after even removing those, I still have tons of update.exe processes running.
You can kill the processes, but they immediately crank right back up.
So next I ran Spybot, and it found a handful of problems as well, but still failed to do anything about update.exe. Meanwhile, all these processes continue to eat away at ther server's memory.
So what should I do now? Before someone says "scan in safe mode", please note that's a last resort (though life would be a lot easier if I could). I work on these client machines remotely through RDC, so if I rebooted into safe mode, I'd lose access to the machine. If push comes to shove, we can send someone out there to do it in person, but that's a last resort.
What's funny is the client still has no clue they're infected. I just happened upon it while checking up on the server. That being the case, I hope I can get it cleaned out before they discover they have been infected -- just makes us look that much better when we fix problems before they know they have them!