0

Hello,

At work, I am seeing three new variants of deviant behavior on our network. The machines are Windows 2000 and XP Pro, and they are patched to recent patch levels. Norton Antivirus does not detect these viruses, and the internet is really skimpy on details.

SYSTESM32.EXE
-- yes it is spelled correctly
-- found several times with regedit, but only in safe mode
-- prevents regedit and task manager from staying open
-- floods the network trying to re-infect (I did not sniff, no tech detail)
-- Had to use Procview from www.prcview.com to kill this in normal mode
-- was infected on Sept 28, so is new to us
-- Key name is Winsock, and the value is systesm32.exe
-- Was able to kill it off booting into safe mode, and scanning registry.

BLING.EXE and UPDATES32.EXE
-- both are worms found in regedit using the key name "psYko"
-- floods the network trying to re-infect (I did not sniff, so no tech detail)
-- UPDATES32.EXE "harder" to remove. Has survived a few reboots
-- need to boot to safe mode to remove from registry and kill off exe file
-- Read Microsoft KB 296405 and 246261.
-- We are testing RestrictAnonymous at level 2
-- Usually 3 to 4 instances of files in the registry.
-- Can be seen in Computer Management, under shared folder sessions. Look for the head without a username... that is an anonymous connection.


If others have any other information to add, please post.

Christian

2
Contributors
2
Replies
4
Views
12 Years
Discussion Span
Last Post by Gothmog
0

Update 10/3:

Starting to see the bling.exe registry value assigned to a new key name: Microsofts Updates.

It is possible to have two instances of Bling running... one of them under the psyko key, and the other on Microsofts Updates.

To kill it off, we have been going to safe mode, and killing the file's listings in the registry. We are also changing the RestrictAnonymous value from 0 to 2.

So far, we have not seen a re-infection when the value = 2.

Christian

0

Yeah, I've been running into the 'updates32.exe' too on my network too.

This is the 1st post I've run across that references it, I'm glad I found it, kc0arf, I was beginning to think it was my imagination.

It's giving me fits. Haven't been able to successfully clean it off of any of the systems, I've been using 'HijackThis' and a few other tools, but I can't seem to kill it.

I'm going to give that 'RestrictAnonymous=2' thing a try now.

Any other info would be greatly appreciated.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.