Security Basics mailing list archives
RE: Possible worm infection or something else?
From: "Joey Matesic" <jmatesic () chipscc com>
Date: Mon, 1 Dec 2003 16:46:24 -0500
I recommend Ad-Aware 6.0. It's also free. http://download.com.com/3000-2144-10214379.html?tag=lst-0-1 -----Original Message----- From: James Arnott [mailto:James.Arnott () ardenthealth com] Sent: Monday, December 01, 2003 1:58 PM To: Rama Rao Adharapurapu; Firefly Digital Media; Giancarlo Ballestracci - IT & Technical Support Cc: security-basics () securityfocus com; focus-virus () securityfocus com Subject: RE: Possible worm infection or something else? I would like to add that even though the machine is patched, it does not mean that it is clean. I would recommend running Stinger.exe as a cleaning tool on the system. (Cleans many bugs at once and it is free. Make sure that you are scanning all of your local drives. http://vil.nai.com/vil/stinger/ If nothings is found which I am guess is what is going to happen. The only other recommendation I can make is turn on a network sniffer, and look to see what is actually being broadcasted from the machine. If you have an effected machine on you hand you should see TCMP, and port 135 traffic being sent from the machine, directed to incrementing IP addresses. Also make sure that your computer is not doing a System restore. Causing it to place back deleted virus files. Please let me know if I can help any more -----Original Message----- From: Rama Rao Adharapurapu [mailto:RamaRao.Adharapurapu () halliburton com] Sent: Monday, December 01, 2003 10:50 AM To: Firefly Digital Media; Giancarlo Ballestracci - IT & Technical Support Cc: security-basics () securityfocus com; focus-virus () securityfocus com Subject: RE: Possible worm infection or something else? This looks like Welchia worm, which removes blaster, try running welchia removal tool in safe mode, available at http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm .html Check KB824146 is applied! And reboot. Regards, Ramu -----Original Message----- From: Firefly Digital Media [mailto:brian () fireflydigitalmedia com] Sent: Friday, November 28, 2003 5:48 PM To: Giancarlo Ballestracci - IT & Technical Support Cc: security-basics () securityfocus com; focus-virus () securityfocus com Subject: RE: Possible worm infection or something else? I had the same problem with an XP machine, it ended up being junky drivers. (HP junk) Is your system in question a Hewlett Packard? Brian -----Original Message----- From: Giancarlo Ballestracci - IT & Technical Support [mailto:giancarlo.ballestracci () progenit it] Sent: Friday, November 28, 2003 3:41 AM To: security-basics () securityfocus com; focus-virus () securityfocus com Subject: Possible worm infection or something else? Importance: High Hi The Group, I hope someone get me a good advice about this problem. I have a notebook with multiboot startup (2 Win2k, 1 WinXP). On the first partition Win2k, svchost.exe take the 100% of CPU's resources. The system is regularly patched (SP4 and all the latest Hot Fixes), personal firewall and Antivirus clients updated. Scans with Symantec and Trend Micro have nothing found. I've tried to shut down all the services possible, without good result. I've also removed the last six applications installed on: nothing happen. Only in safe mode (clear...), the CPU work fine. It's possible that a (new) worm sleep inside the client? Initially, I have thought about a Blaster Worm... I've checked also the system registry, but nothing strange in on RUN key of LOCAL MACHINE. Anybody can light me? Thanks in advance Giancarlo IT Manager ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- RE: Possible worm infection or something else? Firefly Digital Media (Dec 01)
- <Possible follow-ups>
- RE: Possible worm infection or something else? Kris Wingard (Dec 01)
- RE: Possible worm infection or something else? Rama Rao Adharapurapu (Dec 01)
- RE: Possible worm infection or something else? James Arnott (Dec 02)
- RE: Possible worm infection or something else? Joey Matesic (Dec 02)
- RE: Possible worm infection or something else? Mike_Carter (Dec 02)
- RE: Possible worm infection or something else? Osvaldo Casagrande (Dec 02)
- Re: Possible worm infection or something else? Jimi Thompson (Dec 08)
- RE: Possible worm infection or something else? Fraser Morris (Dec 09)
- RE: Possible worm infection or something else? Fraser Morris (Dec 09)