944,067 Members | Top Members by Rank

Hardware and Software > Microsoft Windows > Viruses, Spyware and other Nasties > Worm Advisory: Bling.exe Updates32.exe SYSTESM32.EXE
Ad:
Permalink
Sep 30th, 2004
0

Worm Advisory: Bling.exe Updates32.exe SYSTESM32.EXE

Expand Post »
Hello,

At work, I am seeing three new variants of deviant behavior on our network. The machines are Windows 2000 and XP Pro, and they are patched to recent patch levels. Norton Antivirus does not detect these viruses, and the internet is really skimpy on details.

SYSTESM32.EXE
-- yes it is spelled correctly
-- found several times with regedit, but only in safe mode
-- prevents regedit and task manager from staying open
-- floods the network trying to re-infect (I did not sniff, no tech detail)
-- Had to use Procview from www.prcview.com to kill this in normal mode
-- was infected on Sept 28, so is new to us
-- Key name is Winsock, and the value is systesm32.exe
-- Was able to kill it off booting into safe mode, and scanning registry.

BLING.EXE and UPDATES32.EXE
-- both are worms found in regedit using the key name "psYko"
-- floods the network trying to re-infect (I did not sniff, so no tech detail)
-- UPDATES32.EXE "harder" to remove. Has survived a few reboots
-- need to boot to safe mode to remove from registry and kill off exe file
-- Read Microsoft KB 296405 and 246261.
-- We are testing RestrictAnonymous at level 2
-- Usually 3 to 4 instances of files in the registry.
-- Can be seen in Computer Management, under shared folder sessions. Look for the head without a username... that is an anonymous connection.


If others have any other information to add, please post.

Christian
Similar Threads
Team Colleague
Reputation Points: 121
Solved Threads: 57
Posting Virtuoso
kc0arf is offline Offline
1,629 posts
since Mar 2004
Permalink
Oct 4th, 2004
0

Re: Worm Advisory: Bling.exe Updates32.exe SYSTESM32.EXE

Update 10/3:

Starting to see the bling.exe registry value assigned to a new key name: Microsofts Updates.

It is possible to have two instances of Bling running... one of them under the psyko key, and the other on Microsofts Updates.

To kill it off, we have been going to safe mode, and killing the file's listings in the registry. We are also changing the RestrictAnonymous value from 0 to 2.

So far, we have not seen a re-infection when the value = 2.

Christian
Team Colleague
Reputation Points: 121
Solved Threads: 57
Posting Virtuoso
kc0arf is offline Offline
1,629 posts
since Mar 2004
Permalink
Oct 5th, 2004
0

Re: Worm Advisory: Bling.exe Updates32.exe SYSTESM32.EXE

Yeah, I've been running into the 'updates32.exe' too on my network too.

This is the 1st post I've run across that references it, I'm glad I found it, kc0arf, I was beginning to think it was my imagination.

It's giving me fits. Haven't been able to successfully clean it off of any of the systems, I've been using 'HijackThis' and a few other tools, but I can't seem to kill it.

I'm going to give that 'RestrictAnonymous=2' thing a try now.

Any other info would be greatly appreciated.
Reputation Points: 10
Solved Threads: 0
Newbie Poster
Gothmog is offline Offline
1 posts
since Oct 2004

This thread is more than three months old

No one has posted to this discussion for at least three months. Please let old threads die and do not reply to them unless you feel you have something new and valuable to contribute that absolutely must be added to make the discussion complete. Otherwise, please start a new thread in this forum instead.
Message:
Previous Thread in Viruses, Spyware and other Nasties Forum Timeline: about:blank web homepage/hijackthis
Next Thread in Viruses, Spyware and other Nasties Forum Timeline: annoying coolsearch.biz startup page





About Us | Contact Us | Advertise | Acceptable Use Policy
Forum Index | Build Custom RSS Feed


Follow us on Twitter


© 2011 DaniWeb® LLC