worm/Padobot.V & wintrim2k

Discussion in 'malware problems & news' started by FatBurgler, Oct 7, 2004.

Thread Status:
Not open for further replies.
  1. FatBurgler

    FatBurgler Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    3
    both are worms and both are being detected by my AVG & Norton anti virus but for some reason are not being cleaned. i downloaded VCleaner from symantec and used that but it didnt even detect any worms. now my comp is severely mashed and resetting all the time and crashing etc. how do i rid myself of these worms. any suggestions greatly appreciated :D
     
  2. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Hi FatBurgler :)

    Welcome to Wilders.

    Can u give us the exact name of the files these worms are being found?



    snowbound
     
  3. Sweetie(*)(*)

    Sweetie(*)(*) Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    419
    Location:
    Venus
    Korgo (aka Padobot) is a network worm written by the Russian Hangup Team virus group. It spreads throughout the Internet using a vulnerability in Microsoft Windows LSASS.

    http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

    Detailed Description

    The worm is written in C++ and is approximately 10KB in size, packed using UPX.

    When launching, the worm copies itself to the Windows system directory under a random name, and registers this file in the system registry auto-run key:

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    WinUpdate = %system%\name of file

    It also creates a registry key

    HKLM\SOFTWARE\Microsoft\Wireless
    Server = 1

    It creates the mutexes "10", "u2" and "uterm5" to flag its presence in the system. The worm chooses the IP-addresses of random machines to infect and attack, similar to other worms which exploit the same LSASS vulnerability.

    Once infected, a victim machine will display an error message that the LSASS service has failed. After this error message has been displayed, the computer may reboot.

    The worm open TCP ports 113, 3067 and 2041 to receive commands.

    It attempts to connect to several IRC servers to receive commands and transmit data.
     
  4. FatBurgler

    FatBurgler Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    3
    ty for the welcome and the file names are as follows

    C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\localsettings\temporaryinternetfiles\CONTENT.IE5\HFSYG2ZZ\X_1_~1.EXE

    the above is the filepath to a file infected with Worm/Padobot.V

    the following is also infected with Worm/Padobot.V

    C:\WINDOWS\SYSTEM32\FTPUPD.EXE

    the following file is infected with Downloader.Wintrim.2.K

    C:\WINDOWS\SYSTEM32\EGLIVE~1.EXE

    the following file is infected with Downloader.Wintrim.2.L

    C:\WINDOWS\SYSTEM32\NETPE32.DLL

    the following files are infected with P2E.H

    C:\WINDOWS\SYSTEM32\EGAUTH.DLL
    C:\WINDOWS\SYSTEM32\P2ESOC~1.DLL
     
  5. Sweetie(*)(*)

    Sweetie(*)(*) Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    419
    Location:
    Venus
    as for the Wintrim file info is available here:http://www.f-secure.com/v-descs/wintrim.shtml

    if you follow these steps and delete the files it should be ok.

    this is not tech a virus.

    also you should turn off your system restore as i believe both of these threats exploit the restore fuction as self preservation.
     
  6. Sweetie(*)(*)

    Sweetie(*)(*) Registered Member

    Joined:
    Aug 10, 2004
    Posts:
    419
    Location:
    Venus
    if you can download NOD32 update it and scan from safe mode
     
  7. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi FatBurgler, welcome to Wilders, can you please follow the steps located here, just use your AVG or NAV instead of Nod32. Both worms are likely to have been injected into memory, and as such your system will need to be booted into "Safe Mode". I would suggest following the link provided; it is very comprehensive in removing the greater majority of what’s out there….

    Lets us know how you go...

    Cheers :D
     
  8. FatBurgler

    FatBurgler Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    3
    Thanx for all the help i really appreciate it most of the viruses etc are gone now...found 123 malware and adware lurking aswell. all gone now though. just gonna finish off the last lot. thanx again everyone :D :D :D
     
  9. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    Your Welcome. :)

    Glad we could help.

    Post back if u have anymore problems.


    snowbound
     
Loading...
Thread Status:
Not open for further replies.