Re: A Big trojan problem (irc.flood.??) and rundll32.exe connecting to internet

From: Axel Pettinger (api@epost.de)
Date: 03/08/03 

From: Axel Pettinger <api@epost.de>
Date: Sat, 08 Mar 2003 21:34:56 +0100

"Marcel F. U." wrote:
>
> Hello, i have win 2k with the latest mcafee virusscan professional
> up-to-date.
>
> One day my antivirus caught a trojan called IRC.FinalBot that came in
> a file that was just created (dont know how). The only option
> available to get rid of the virus was to exclude.
>
> Since then, many IRC.flood trojans started to appear. This includes
> all kinds, flood.ak, flood.bc, etc.
>
> I ran antivirus scan with heuristics turned on and it found two
> viruses (irc.flood.??) in winnt\system32\config . The files were named
> with random numbers with the extension .ins (ex:19020377.ins). Ok,
> deleted those.
>
> To make sure there weren´t any other trojans, i ran many other trojan
> detectors, no one found anything.
>
> At last, i ran the mcafee firewall, and it kept warning me almost
> every minute that a file rundll32.exe was trying to connect to random
> adresses, see one of the reports.
>
[snip]
> Sorry for all this explanation, i just wanted to make sure you
> understood the whole problem.
>
> Thanks for any help u can give me.

Do you have an administrator account with a blank or easy to guess
password for it? Change the password(s), visit Windowsupdate and
download and install missing patches for your OS, update your av scanner
regularly, and make sure that your av scanner and your firewall are
always running. Check your Winnt directory, its System32 subdirectory
and the running processes, and have a closer look at suspicious
directories and files. Read also the following article(s) to understand
why and how you (probably) became infected:

http://support.microsoft.com/support/kb/articles/Q328/6/91.asp
http://online.securityfocus.com/archive/75/270867
http://staff.washington.edu/dittrich/misc/ddos/unisog-xdcc.txt

Regards,
Axel Pettinger

Quantcast