NEW VIRUS ?

From: Carolyn (cebldb_at_hotmail.com)
Date: 03/24/04

• Next message: Lavieja_at_verizon.net: "Uninstalling and reinstalling anti virus program"
• Previous message: Dayo Mitchell: "Re: Have I got a virus"
• Next in thread: Mike Burgess: "Re: NEW VIRUS ?"
• Reply: Mike Burgess: "Re: NEW VIRUS ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Wed, 24 Mar 2004 22:43:28 -0000

We have been infected by what Sophos advise may be a new virus today, sent a
sample for analysis and may take a few days to find a fix. In the meantime
we are fire fighting.

We have identifed that this is attacking MS office and a process called
MSOFT32.exe runs and takes up all CPU of the PC and it has spread very
quickly across the network. The infected PCs were trying to connect out
through the firewall on port 6667 which we have now blocked. Other symptons
are control panel view changes, add remove programes will not display list
and the PC is unusable. Reboot resolves for a short while until it starts up
again. Our XP machines seem fine - seems to be w2k pro sp4 ??

A registry key exists in HKLM\SOFTWARE\MICROSOFT\WINDOWS\RUN ONCE.

Once the key is deleted and the corresponding system file in WINNT\SYS32 is
deleted things are OK until the PC is deleted. Many of our PCs are needing
windows update for latest fixes , our SUS failed recently due to a server
failure and we have no time to reconfigure at the minute so thinking of
manually doing windows update on 150 PC s AHh ! Wory though that this will
still not stop the spread of this worm/trojan and we will be running around
until a disinfector is available.

Any suggestions really appreciated ! Thinking of scanning with MBSA although
not sure how long this will take to configure

Carolyn

---

• Next message: Lavieja_at_verizon.net: "Uninstalling and reinstalling anti virus program"
• Previous message: Dayo Mitchell: "Re: Have I got a virus"
• Next in thread: Mike Burgess: "Re: NEW VIRUS ?"
• Reply: Mike Burgess: "Re: NEW VIRUS ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Terminal Server 2003 - Manager not visible or accessible ... Start regedit and navigate to this registry key: ... Delete the "Placement" value and exit regedit. ... MCSE, CCEA, Microsoft MVP - Terminal Server ... > An additional symptom was that Windows Update would not run, ... (microsoft.public.windows.terminal_services) Re: XP not allowed to access updates ... Please delete the following registry key. ... This may be resolved by uninstalling the third party firewall. ... Windows Update as an excluded site on the firewall/proxy. ... "Miles" wrote in message ... (microsoft.public.windowsxp.security_admin) RE: Code 8000FFFF ... Corrupted Windows Update Temporary folder ... Rename the Windows Update Softwaredistribution folder ... let's backup the registry key first. ... (microsoft.public.windowsupdate) Re: Turning on Windows Update Administrativly ... >> Network policy settings prevent you from using Windows Update to download ... >> Windows Update to download and install updates. ... > Under the registry key ... (microsoft.public.windowsxp.security_admin)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(11)