Re: iexpIorer.exe ..new virus? What is it?
From: Sarah (anonymous_at_discussions.microsoft.com)
Date: 01/01/04
- Next message: Noozer: "Now that 2004 is here... Is anyone seeing network traffic dwindle since Welchia should be dying off?"
- Previous message: David H. Lipman: "Re: res://mshp.dll/index.html#22776"
- In reply to: Mike Beauchamp: "iexpIorer.exe ..new virus? What is it?"
- Next in thread: taff: "Re: iexpIorer.exe ..new virus? What is it?"
- Reply: taff: "Re: iexpIorer.exe ..new virus? What is it?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 31 Dec 2003 15:31:08 -0800
Mike writes:
>-----Original Message-----
>Hey all..
>
>A few days ago, I started getting a message
that "tskmg.exe" wasn't found on
>startup. I obviously assumed this was some sort of a
virus (even though I
>haven't run anything, and I'm up to date with Windows
Update). So I went and
>scanned at trendmicro's housecall. No viruses found..
>
>I tried firing up regedit and msconfig and both of them
close right away
>after 2 seconds.
>
>So, I checked taskmanager and there is a process running
called
>"iexpIorer.exe" running. When I kill it, a new one
always restarts...
>
>So, obviously I have a virus..
>
>But, the latest online scanners aren't picking it up and
there's no new
>windows updates..
>
>Any ideas?
>
>Mike
>
Howdy, Mike. Found several references online to
iexpIorer.exe (noting that the letter following "iexp" is
a capitol "i", not an "L"). A year ago, one board's
poster was relating that Norton's had found but could not
delete it (she didn't mention whether she was using a
Safe mode start). Another poster (on a board I could only
get via Google's cache) was complaining about this
infector on a "Viruses everyone has"(!)list. Another was
saying that it is a sub-7 trojan, and listed the steps
they had taken to get rid of it. I don't suppose that the
fact that someone a year ago used that name for their
process stops a new writer from using it in a new
infector.
_Assuming_ it were to be the "same old" thing, the
following from Sophos might be informative:
>>
Troj/Oblivion-B is a backdoor Trojan that allows others
remote access to your computer over a network. It copies
itself to the Windows System directory as iexpIore.exe,
and sets the registry keys
HKLM\Software\Microsoft\Windows\CurrentVersion
\Run\Default web browser
HKLM\Software\Microsoft\Windows\CurrentVersion
\RunServices\Default web browser
HKLM\Software\Microsoft\Active Setup
\Installed Components\Default web browser\StubPath
to all point to the executable.
It also changes the entry shell= in the [boot] section of
system.ini to "explorer.exe iexpIore.exe", and adds new
ini entries load=iexpIore.exe and run=iexpIore.exe in the
[windows] section of win.ini.
It uses ICQ and IRC channels to notify the sender of
activation.
<<
- Next message: Noozer: "Now that 2004 is here... Is anyone seeing network traffic dwindle since Welchia should be dying off?"
- Previous message: David H. Lipman: "Re: res://mshp.dll/index.html#22776"
- In reply to: Mike Beauchamp: "iexpIorer.exe ..new virus? What is it?"
- Next in thread: taff: "Re: iexpIorer.exe ..new virus? What is it?"
- Reply: taff: "Re: iexpIorer.exe ..new virus? What is it?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
