^`d}qZxu and ~`d}qzxu3zYF Help me to find this

ciper · Post by **ciper** » Tue Mar 16, 2004 1:44 am

Look in your registry for these. Post a reply if you see either

^`d}qZxu
~`d}qzxu3zYF
Specifically look under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

ciper · Post by **ciper** » Tue Mar 16, 2004 3:08 am

Also look under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices

ciper · Post by **ciper** » Tue Mar 16, 2004 4:05 am

If affected use TCPVIEW from Sysinternals to see which applications are listening on the ports.

%systemroot%\system32\soundman.exe is probably what you will see.

ciper · Post by **ciper** » Tue Mar 16, 2004 8:23 am

If the virus is running soundman.exe is hidden.

If you create a text file in your temp folder and rename it soundman.exe it will disapear!

eastbaysubaru · Post by **eastbaysubaru** » Wed Mar 17, 2004 6:45 am

How is it spread?

-Brian

ciper · Post by **ciper** » Wed Mar 17, 2004 6:46 am

Nobody really knows yet. The AV vendors aren't as smart as you think, they know its a varient of another older virus so they assume it uses the same infection method.

I have more details about it if anyone is interested.

JasonGrahn · Post by **JasonGrahn** » Thu Mar 18, 2004 6:50 pm

feel free to post details online of your virus. oh wait.. your computer virus.

ciper · Post by **ciper** » Fri Mar 19, 2004 12:11 am

Booting safe mode and running stiner 2.1.5 will get rid of most the files.

Check your host file for redirection of many web sites to 127.0.0.1

The two registry entry I mentioned should be manually deleted

One way I thought of preventing infection was to create a file named soundman.exe in the system32 folder and removing all permissions from it (click advanced and then uncheck inherity permissions and choose remove).

Also changing the host file back to original and giving everyone including administrators and the system account read only access will prevent redirection.

So far this virus seems to spread through an unpatched hole. We have had machines without email applications get infected.
Machines that did not have a c$ administrative share where infected
Machines that DIDNT have a blank local password got it
Machines that werent part of the domain got it
Plus we use SUS on some machines and they got infected.

Post by **Legacy777** » Fri Mar 19, 2004 1:19 am

did the machines still have the admin$ share there....that gets shared out too

Other then that....I don't really see how it'd get through......

ciper · Post by **ciper** » Fri Mar 19, 2004 1:27 am

Ill double check that one, didnt notice.

I almost think its another RPC hole or something.

Post by **Legacy777** » Fri Mar 19, 2004 4:33 pm

wonderful....that means I get the fun job of patching all our stupid old nt4 automation machines........at least the 2k machines will get it through policies....and will just need reboots.

ciper · Post by **ciper** » Fri Mar 19, 2004 10:45 pm

You should try SUS for the 2K/XP machines. It works well and reduces internet traffic significantly. Plus you control exactly what patches they do/dont get.

Post by **Legacy777** » Sat Mar 20, 2004 1:02 am

Yeah I had it setup on one of our servers and was going to use it, but it changed permissions. So I need to set it up on another server and change the group policies to point to it.

Right now it's just going to WU site to get the stuff.

This network of automation machines was put together so hap-hazardly....it's pityful....and thing that gets me is these are mission critcal machines and some of them are running old dell desktop machines 400 mhz 128mb ram

legacycentral bbs

A forum for 89-94 BC-BF(BJ) Legacy Owners and Fans

^`d}qZxu and ~`d}qzxu3zYF Help me to find this

^`d}qZxu and ~`d}qzxu3zYF Help me to find this