avserve.exe? new virus?

Discussion in 'malware problems & news' started by wrequed, May 1, 2004.

Thread Status:
Not open for further replies.
  1. wrequed

    wrequed Registered Member

    Joined:
    May 1, 2004
    Posts:
    3
    I have ran across this all day here at work.
    Customer calls unable to view webpages or download their email.

    Looking in the task manager under processes, avserve.exe shows running.
    ending task on this process seems to fix the problem with the connection.
    Also deleting the file avserve.exe in the windows dir seems to work fine.

    Anyone else run across this?

    wrequed
     
  2. wrequed

    wrequed Registered Member

    Joined:
    May 1, 2004
    Posts:
    3
    Just found that this is a virus.
    to get rid of it:

    ctrl - alt - del, and end avserve.exe - If that is running then u have the virus.
    then go to C:\Windows\ and delete the file called avserve.exe
    then go to C:\Windows\System32 and delete any files that start with a number and end in _up.exe
    eg. 132424_up.exe, 2344_up.exe, 30212_up.exe
    Then do a searc of all Hdds for a file called cmd.ftp and delete any if found (make sure search hidden and system folders in on)
    Do a windows update and make sure update number 835732 is there or already installed.

    hope this helps

    wrequed
     
  3. DevilFrank

    DevilFrank Registered Member

    Joined:
    Jul 20, 2003
    Posts:
    108
  4. wrequed

    wrequed Registered Member

    Joined:
    May 1, 2004
    Posts:
    3
    Has anyone seen the same type of errors but without the "avserve.exe" loaded up in processes?
    I'm seeing this happening. Just curious.....

    wrequed
     
  5. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    If you're on an win2000/XP system first use this security patch
    http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
    After start cleansing.

    Other infection? Are you on XP?
    All files and extensions showing, none hidden?
    Would also advise to post a HijackThis log in the HJT forum here.

    Part of the story:
    ""To propagate, it scans random IP addresses for vulnerable systems. When a vulnerable system is found, the malware sends a specially crafted packet to produce a buffer overflow on LSASS.EXE.

    The resulting overflow allows the malware to listen to TCP port 9996, which instructs it to spawn a command shell. The malware then creates the script file CMD.FTP that contains instructions for the vulnerable system to download and execute a copy of this malware via FTP.

    The infected host then opens TCP port 5554 to accept any FTP requests from infected remote systems. The worm copy to be downloaded bears the file name, <random integer>_up.exe (e.g., 12345_up.exe), and is saved in the Windows system directory.

    After download, the malware deletes the file CMD.FTP. A log file named WIN.LOG is created in the root directory. This file contains the number of remote systems that the host system were able to infect. ""


    You might like to locate the stuff on your system, see it in action, block it and locate the parts where it is for instance with Port Explorer (www.diamondcs.com.au/portexplorer -free demo version available) and to block the sending and kill the processes etc. Might help!
     
Loading...
Thread Status:
Not open for further replies.