Page 1 of 1
^`d}qZxu and ~`d}qzxu3zYF Help me to find this
Posted: Tue Mar 16, 2004 1:44 am
by ciper
Look in your registry for these. Post a reply if you see either
^`d}qZxu
~`d}qzxu3zYF
Specifically look under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Posted: Tue Mar 16, 2004 3:08 am
by ciper
Also look under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runservices
Posted: Tue Mar 16, 2004 4:05 am
by ciper
If affected use TCPVIEW from Sysinternals to see which applications are listening on the ports.
%systemroot%\system32\soundman.exe is probably what you will see.
Posted: Tue Mar 16, 2004 8:23 am
by ciper
If the virus is running soundman.exe is hidden.
If you create a text file in your temp folder and rename it soundman.exe it will disapear!
Posted: Wed Mar 17, 2004 6:45 am
by eastbaysubaru
How is it spread?
-Brian
Posted: Wed Mar 17, 2004 6:46 am
by ciper
Nobody really knows yet. The AV vendors aren't as smart as you think, they know its a varient of another older virus so they assume it uses the same infection method.
I have more details about it if anyone is interested.
Posted: Thu Mar 18, 2004 6:50 pm
by JasonGrahn
feel free to post details online of your virus. oh wait.. your computer virus.
Posted: Fri Mar 19, 2004 12:11 am
by ciper
Booting safe mode and running stiner 2.1.5 will get rid of most the files.
Check your host file for redirection of many web sites to 127.0.0.1
The two registry entry I mentioned should be manually deleted
One way I thought of preventing infection was to create a file named soundman.exe in the system32 folder and removing all permissions from it (click advanced and then uncheck inherity permissions and choose remove).
Also changing the host file back to original and giving everyone including administrators and the system account read only access will prevent redirection.
So far this virus seems to spread through an unpatched hole. We have had machines without email applications get infected.
Machines that did not have a c$ administrative share where infected
Machines that DIDNT have a blank local password got it
Machines that werent part of the domain got it
Plus we use SUS on some machines and they got infected.
Posted: Fri Mar 19, 2004 1:19 am
by Legacy777
did the machines still have the admin$ share there....that gets shared out too
Other then that....I don't really see how it'd get through......
Posted: Fri Mar 19, 2004 1:27 am
by ciper
Ill double check that one, didnt notice.
I almost think its another RPC hole or something.
Posted: Fri Mar 19, 2004 4:33 pm
by Legacy777
wonderful....that means I get the fun job of patching all our stupid old nt4 automation machines........at least the 2k machines will get it through policies....and will just need reboots.
Posted: Fri Mar 19, 2004 10:45 pm
by ciper
You should try SUS for the 2K/XP machines. It works well and reduces internet traffic significantly. Plus you control exactly what patches they do/dont get.
Posted: Sat Mar 20, 2004 1:02 am
by Legacy777
Yeah I had it setup on one of our servers and was going to use it, but it changed permissions. So I need to set it up on another server and change the group policies to point to it.
Right now it's just going to WU site to get the stuff.
This network of automation machines was put together so hap-hazardly....it's pityful....and thing that gets me is these are mission critcal machines and some of them are running old dell desktop machines 400 mhz 128mb ram