Just scanned and found WORM DESOS.A. Suggestions on how to get rid of it?
Info found here: http://hq.mcafeeasap.com/dispVirus.asp?virus_k=99458

Here's a link to some info on it:

http://securityresponse.symantec.com/avcenter/venc/data/w95.stoogy.worm@mm.html

But I would wait for a response from someone in the know-how first.

Regards, Jade.

BTW, just noticed the link only works if you cut & paste it.


*tried to repair URL -Jooske*

Hello Bowserman
We must have posted at about the same time (as our edit). :)

The information at that Symantec link is pretty good. You can use it to determine whether or not you are actually infected with that worm (check to see if you do in fact have the registry keys noted, for instance), or if you simply have a single infected file that has not yet been executed.

I'm assuming TDS told you about this infection since you posted here in the TDS forum, what file did it say this infection was in?

Hello Low Water Mark

Scan Control Dumped @ 17:59:15 26-05-03
Positive identification: Worm.Desos.a
File: c:\windows\asd.exe

We will now check the registry and report back. :)

By the way, you should save a copy of that file before you do attempt a cleanup. Maybe throw it into a .ZIP file for safe keeping. I'm sure someone (maybe multiple people) will ask for a copy of the file to check it out for you.

Registry shows no extra files there. We are having a problem with our zip program (Freezip) so we may just get another program in a few minutes before we can send the file to DCS.

No problems this is NOT a worm. My apologies.

Now I have seen this, I think the worm writer actually hacked a legitimate EXE file to create his worm, there are too many similarities (huge chunks of identical code)

The fixed RADIUS database will be released early today, in about an hour or 2 :)

Wonderful - Thank you very much Gavin for your work and quick service. We had not yet done anything until we heard from you. Keep up the good work. BTW - WormGuard did not notice this.

New update is out.. :)

Wormguard shouldn't :)

Hmm all that black on that pic.. painful almost :) Do you mind editing it ? Or even remove the image :)

You might like to look for the "crop" function in an image editor, like Irfanview www.irfanview.com (one of the most wonderful image/sound thingies i know, and FREE!)

;D Agreed Jooske Infranview is a great tool, I also like it's ability to load a plugin that does away with real player ;)

Gavin, Will the introduction of incremental backups in TDS4 improve the false positive situation? Or is it purely the complicated business of decoding and verifying these nasties?

It'll mean a smaller download and a quicker fix :)

This case was rare though, I was surprised to see the asd.exe and the worm sample have a lot of perfect code matches all through the file. Only some changes and a little extra code. So i did presume it is a hacked version of the system file tweaked to do the worm writers needs ::)

I grabbed the image, cropped it out and made it 75% of the original, but as it is a copy it became twice as many Kb! from 15 to 31!
Thought that only happened with jpg so i just deleted them from my system.


Good that you found out about the "enhanced" system file. Refining your database all the time, over 25,xxx refs now already!