RE: Possible worm infection or something else?

From: James Arnott (James.Arnott_at_ardenthealth.com)
Date: 12/01/03

Next message: Joey Matesic: "RE: Possible worm infection or something else?"

Previous message: Shawn Jackson: "RE: Vulnerability Assessment Checklists?"
Maybe in reply to: Firefly Digital Media: "RE: Possible worm infection or something else?"
Next in thread: Joey Matesic: "RE: Possible worm infection or something else?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 1 Dec 2003 12:57:59 -0600
To: "Rama Rao Adharapurapu" <RamaRao.Adharapurapu@halliburton.com>, "Firefly Digital Media" <brian@fireflydigitalmedia.com>, "Giancarlo Ballestracci - IT & Technical Support" <giancarlo.ballestracci@progenit.it>

I would like to add that even though the machine is patched, it does not
mean that it is clean. I would recommend running Stinger.exe as a
cleaning tool on the system. (Cleans many bugs at once and it is free.
Make sure that you are scanning all of your local drives.

http://vil.nai.com/vil/stinger/

If nothings is found which I am guess is what is going to happen. The
only other recommendation I can make is turn on a network sniffer, and
look to see what is actually being broadcasted from the machine. If you
have an effected machine on you hand you should see TCMP, and port 135
traffic being sent from the machine, directed to incrementing IP
addresses.

Also make sure that your computer is not doing a System restore. Causing
it to place back deleted virus files.

Please let me know if I can help any more

-----Original Message-----
From: Rama Rao Adharapurapu
[mailto:RamaRao.Adharapurapu@halliburton.com]
Sent: Monday, December 01, 2003 10:50 AM
To: Firefly Digital Media; Giancarlo Ballestracci - IT & Technical
Support
Cc: security-basics@securityfocus.com; focus-virus@securityfocus.com
Subject: RE: Possible worm infection or something else?

This looks like Welchia worm, which removes blaster, try running welchia
removal tool in safe mode, available at
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm
.html

Check KB824146 is applied! And reboot.
Regards,
Ramu

-----Original Message-----
From: Firefly Digital Media [mailto:brian@fireflydigitalmedia.com]
Sent: Friday, November 28, 2003 5:48 PM
To: Giancarlo Ballestracci - IT & Technical Support
Cc: security-basics@securityfocus.com; focus-virus@securityfocus.com
Subject: RE: Possible worm infection or something else?

I had the same problem with an XP machine, it ended up being junky
drivers.
(HP junk)
Is your system in question a Hewlett Packard?

Brian

-----Original Message-----
From: Giancarlo Ballestracci - IT & Technical Support
[mailto:giancarlo.ballestracci@progenit.it]
Sent: Friday, November 28, 2003 3:41 AM
To: security-basics@securityfocus.com; focus-virus@securityfocus.com
Subject: Possible worm infection or something else?
Importance: High

Hi The Group,
I hope someone get me a good advice about this problem. I have a
notebook
with multiboot startup (2 Win2k, 1 WinXP). On the first partition Win2k,
svchost.exe take the 100% of CPU's resources. The system is regularly
patched (SP4 and all the latest Hot Fixes), personal firewall and
Antivirus
clients updated. Scans with Symantec and Trend Micro have nothing found.
I've tried to shut down all the services possible, without good result.
I've
also removed the last six applications installed on: nothing happen.
Only in
safe mode (clear...), the CPU work fine.
It's possible that a (new) worm sleep inside the client? Initially, I
have
thought about a Blaster Worm... I've checked also the system registry,
but
nothing strange in on RUN key of LOCAL MACHINE.

Anybody can light me?

Thanks in advance

Giancarlo
IT Manager

------------------------------------------------------------------------

---
------------------------------------------------------------------------
----
------------------------------------------------------------------------
---
------------------------------------------------------------------------
----
------------------------------------------------------------------------
---
------------------------------------------------------------------------
----
---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Joey Matesic: "RE: Possible worm infection or something else?"

Previous message: Shawn Jackson: "RE: Vulnerability Assessment Checklists?"
Maybe in reply to: Firefly Digital Media: "RE: Possible worm infection or something else?"
Next in thread: Joey Matesic: "RE: Possible worm infection or something else?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]