Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Help with virus 1

Status
Not open for further replies.
zarkon4

zarkon4

MIS
Dec 16, 2003
641
US
I am looking for help with a virus, I don't even know it's name and have tried searching for it on MCaffee's and Symantec's site with no avail. It is propagtating through out our network like widfire, some pc's have been infected while others are not. the ones that are not have a file called 'c.bat' in the windows/system32 directory. The ones that have become infected have a process running 'msnms.exe' and reg keys for MSN Updater. The c.bat file tries to ftp a file named '.pif' and then execute msnms.exe. On some pc's the ftp is blocked by symantec anti-virus and therefore does not get infected.
The only thing that the anti-virus is coming up with is it's a backdoor.trojan, which I understand is a generic name. I clean an infected machine, shut it down. When I get all of them clean and turn one on it gets infected again. Anyone encounter this or have any solutions?
 
Sort by date Sort by votes
I'd love to be there to help. You've piqued my interest now. ^_^

Do a netstat -an on an infected machine and an uninfected machine to see what kinds of connections there are. Copy and paste the results here if you want. Also, which version of Windows? If Windows XP turn off System Restore before cleaning.

----------------------------
"Security is like an onion" - Unknown
 
Upvote 0 Downvote
Sorry it took so long to reply, we have found out that it is a new virus, one that does not yet have a name.
We have cleaned it. It starts with a file named 'c.bat', which run an ftp script named '.pif', goes out on port 5050
and gets msnms.exe. msnms.exe then installs into the registry then finds other computers on the network and installs itself to them. Also it listens on other ports and downloads additional backdoors and worms. Turns out that even the pc's that quarantined the thing still were infected.

 
Upvote 0 Downvote
Nasty. I'd forward your finding to the ISC, and they will in turn forward it to AV companies. Do you still have the files involved? If you do, that'll significantly help.


----------------------------
"Security is like an onion" - Unknown
 
Upvote 0 Downvote
Hi
we are just being hit ourselves at the moment with this c.bat virus, can you let me know whether there was a conclusion to this problem. We have added the c.bat to our list on the AVD server but lots of machines are still getting hammered in the interim...its causing us a lot of leg work at the moment, so any ideas to help me rest these pins would be fantastic ?
 
Upvote 0 Downvote

Here is how we got rid of it.
-Disconnect all pc's from the network
-On servers, delete c.bat, .pif, msnms.exe. Search registry for c.bat,msnms, delete all occurrances.
-On user pc's do the same.
-Update antivirus with latest dats
-when ALL pc's and servers are clean you can connect to the network.

c.bat executes an ftp script named .pif, it downloads msnms.exe through a tcpip port then executes it. msnms.exe also spreads it to other pc's through another tcpip port.

Make sure you leave the power off or leave the network connection disconnected throughout the process. We ended up forgetting to clean a particular machine and ended up back at square 1!
Also, check HKlocalMachine\Microsoft\Windows\CurrentVersion\Run
for any strange looking entries and delete them.
double check the same for HKUsers and CurrentUser.
 
Upvote 0 Downvote
Cheers for that Zarkon4... only problem we have is that we currently have about 2000 machines on the network and cannot remove them all for business reasons !

Hmm puzzler ..thanks for the info though very useful !!
 
Upvote 0 Downvote
Then on each pc disconnect it, clean it, shut it down,
re-connect it but leave it off until all of them are clean.
Business reasons or not, it has to be done or just live with the virus.
 
Upvote 0 Downvote
my virus scanner picked it up yesterday & deleted it before it could do any damage. my scanner called it BOFRA.

it hit in Germany first and i guess it finally jumped the pond to the US.
 
Upvote 0 Downvote
eyec: Yeah, seems it did jump the pond. :( ISC picked it up Friday or Saturday. From what I have read, BOFRA can get pretty nasty.

----------------------------
"Security is like an onion" - Unknown
 
Upvote 0 Downvote
It was not BOFRA, It was a variant of SPYBOT. It did not come through email.
 
Upvote 0 Downvote
this did not come through email either.

it was inside a webpage with the name c.html. not sure just which webpage but with 4 kids using my home networked PCs, i doubt i will ever find out.

even after my virus scanner catching it i had to remove the seed file (c.bat) from the registry.

anyway, good luck in clearing it from your systems.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
636
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
607
intel233
intel233
tklamb
  • Locked
  • Question
ACL help
Replies
0
Views
121
tklamb
tklamb
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
153
PauS0n
PauS0n
TheFireman2
  • Locked
  • Question
Help with Watchguard Firebox M200 setup as a TMG 2010 replacement with ASA 5515 as main firewall
Replies
1
Views
182
hairlessupportmonkey
hairlessupportmonkey

Part and Inventory Search

Sponsor

Back
Top