At work, I am seeing three new variants of deviant behavior on our network. The machines are Windows 2000 and XP Pro, and they are patched to recent patch levels. Norton Antivirus does not detect these viruses, and the internet is really skimpy on details.
-- yes it is spelled correctly
-- found several times with regedit, but only in safe mode
-- prevents regedit and task manager from staying open
-- floods the network trying to re-infect (I did not sniff, no tech detail)
-- Had to use Procview from www.prcview.com to kill this in normal mode
-- was infected on Sept 28, so is new to us
-- Key name is Winsock, and the value is systesm32.exe
-- Was able to kill it off booting into safe mode, and scanning registry.
BLING.EXE and UPDATES32.EXE
-- both are worms found in regedit using the key name "psYko"
-- floods the network trying to re-infect (I did not sniff, so no tech detail)
-- UPDATES32.EXE "harder" to remove. Has survived a few reboots
-- need to boot to safe mode to remove from registry and kill off exe file
-- Read Microsoft KB 296405 and 246261.
-- We are testing RestrictAnonymous at level 2
-- Usually 3 to 4 instances of files in the registry.
-- Can be seen in Computer Management, under shared folder sessions. Look for the head without a username... that is an anonymous connection.
If others have any other information to add, please post.