My customer got hacked!!! 1

[Georgi1chuikov]

This is more of a proffesional curiosity than anything else, my customer called in and stated up front he was hacked (remotly taken over)and is trying to remedy this, but, in the meantime we needed to get my software working.In the process of remoting into one of his PC's I noticed several processes that where running. they where labled ~2.exe, ~20a.exe, ~20b.exe, ~20c.exe and ~20d.exe. ~2 was using most of the CPU load, after I stopped it the PC functioned correctly. Can anybody tell me what these are? I do not need to solve this as my resposibility is my software and not the general PC health, but I am curious about what I just encountered.

 

[JasonDeckard]

I believe that is the W32Deborm worm. I'm afraid I know little about it, but I'll share what I do know.

I've seen comments that the worm spreads through non-password protected C: drive shares. Both McAfee and Norton will identify and clean the worm.

The worm creates\infects the file C:\WINNT\LITMUS\SVCHOST32.EXE, as well as a number of files in C:\TEMP named ~n.exe, where n is a number. I have seen comments that a new ~n.exe is created each time the system boots (incrementing n each time). The worm appears to be designed to drain system resources.

Hope that helps,
Jason Deckard

 

[Georgi1chuikov]

thank you very much, you earned my star!!