 |  |  |  |  |  |  |  |
Worm Advisory: Bling.exe Updates32.exe SYSTESM32.EXE
 |
Hello,
At work, I am seeing three new variants of deviant behavior on our network. The machines are Windows 2000 and XP Pro, and they are patched to recent patch levels. Norton Antivirus does not detect these viruses, and the internet is really skimpy on details.
SYSTESM32.EXE
-- yes it is spelled correctly
-- found several times with regedit, but only in safe mode
-- prevents regedit and task manager from staying open
-- floods the network trying to re-infect (I did not sniff, no tech detail)
-- Had to use Procview from www.prcview.com to kill this in normal mode
-- was infected on Sept 28, so is new to us
-- Key name is Winsock, and the value is systesm32.exe
-- Was able to kill it off booting into safe mode, and scanning registry.
BLING.EXE and UPDATES32.EXE
-- both are worms found in regedit using the key name "psYko"
-- floods the network trying to re-infect (I did not sniff, so no tech detail)
-- UPDATES32.EXE "harder" to remove. Has survived a few reboots
-- need to boot to safe mode to remove from registry and kill off exe file
-- Read Microsoft KB 296405 and 246261.
-- We are testing RestrictAnonymous at level 2
-- Usually 3 to 4 instances of files in the registry.
-- Can be seen in Computer Management, under shared folder sessions. Look for the head without a username... that is an anonymous connection.
If others have any other information to add, please post.
Christian
At work, I am seeing three new variants of deviant behavior on our network. The machines are Windows 2000 and XP Pro, and they are patched to recent patch levels. Norton Antivirus does not detect these viruses, and the internet is really skimpy on details.
SYSTESM32.EXE
-- yes it is spelled correctly
-- found several times with regedit, but only in safe mode
-- prevents regedit and task manager from staying open
-- floods the network trying to re-infect (I did not sniff, no tech detail)
-- Had to use Procview from www.prcview.com to kill this in normal mode
-- was infected on Sept 28, so is new to us
-- Key name is Winsock, and the value is systesm32.exe
-- Was able to kill it off booting into safe mode, and scanning registry.
BLING.EXE and UPDATES32.EXE
-- both are worms found in regedit using the key name "psYko"
-- floods the network trying to re-infect (I did not sniff, so no tech detail)
-- UPDATES32.EXE "harder" to remove. Has survived a few reboots
-- need to boot to safe mode to remove from registry and kill off exe file
-- Read Microsoft KB 296405 and 246261.
-- We are testing RestrictAnonymous at level 2
-- Usually 3 to 4 instances of files in the registry.
-- Can be seen in Computer Management, under shared folder sessions. Look for the head without a username... that is an anonymous connection.
If others have any other information to add, please post.
Christian
Update 10/3:
Starting to see the bling.exe registry value assigned to a new key name: Microsofts Updates.
It is possible to have two instances of Bling running... one of them under the psyko key, and the other on Microsofts Updates.
To kill it off, we have been going to safe mode, and killing the file's listings in the registry. We are also changing the RestrictAnonymous value from 0 to 2.
So far, we have not seen a re-infection when the value = 2.
Christian
Starting to see the bling.exe registry value assigned to a new key name: Microsofts Updates.
It is possible to have two instances of Bling running... one of them under the psyko key, and the other on Microsofts Updates.
To kill it off, we have been going to safe mode, and killing the file's listings in the registry. We are also changing the RestrictAnonymous value from 0 to 2.
So far, we have not seen a re-infection when the value = 2.
Christian
Yeah, I've been running into the 'updates32.exe' too on my network too.
This is the 1st post I've run across that references it, I'm glad I found it, kc0arf, I was beginning to think it was my imagination.
It's giving me fits. Haven't been able to successfully clean it off of any of the systems, I've been using 'HijackThis' and a few other tools, but I can't seem to kill it.
I'm going to give that 'RestrictAnonymous=2' thing a try now.
Any other info would be greatly appreciated.
This is the 1st post I've run across that references it, I'm glad I found it, kc0arf, I was beginning to think it was my imagination.
It's giving me fits. Haven't been able to successfully clean it off of any of the systems, I've been using 'HijackThis' and a few other tools, but I can't seem to kill it.
I'm going to give that 'RestrictAnonymous=2' thing a try now.
Any other info would be greatly appreciated.
|
Similar Threads
- rpcxwinex.exe and rpcxsys.exe virus' (Viruses, Spyware and other Nasties)
- Loader.EXE and IEDLL.EXE errors (Web Browsers)
- IEDLL.EXE and Loader.exe error (Windows NT / 2000 / XP)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: about:blank web homepage/hijackthis
- Next Thread: annoying coolsearch.biz startup page
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest Viruses, Spyware and other Nasties Posts
adware anti-malware anti-virussitesaccessissue antivirus apple attack audio avg backtoschoolspeech bar blackhat botnet censorship china commercials conficker connect control crosssitescripting cyber cyberwarfare ddos domains e-mafia education email europe exploit facebook fake fancheckvirus gaming gtaiv gumblar halloween hijack internet iphone kaspersky legal logfiles mail malware mcafee mega-d messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile panel parents patch phishing police president privacy pro problem redirect redirecting reliability report research risk rogueantivirus samhain sans scareware school search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses war warning windows worm yahoo zeroday
