Hi all,
Lets see what you think.
We were hit by a virus, we cleaned it, updated the machine to the latest definitions and updates from windows. But, Sygate.exe still appears and runs.
This is basically what we think it is and what it does:
- W32/Rbot-II is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
- W32/Rbot-II spreads to network shares with weak passwords and via network security exploits as a result of the backdoor Trojan element receiving the appropriate command from a remote user.
- W32/Rbot-II copies itself to the Windows system folder as SYGATE.EXE and creates entries at the following locations in the registry with the value Sygate Personal Firewall so as to run itself on system startup, resetting them every minute:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- W32/Rbot-II sets the following registry entries every 2 minutes:
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1"
- W32/Rbot-II attempts to delete network shares on the host computer every 2 minutes.
Our most common problem is the fact that it is sending out a DNS lookup to some king.tah"something".net then a IRC chat request to Name.service.net. It does this about every 5-6 seconds.
And the mor interesting thing is that nothing can find it. Norton, Panda, AVG all seem to fail, also adware programs cant find it either. Worm removal tools also fail.
Im out of ideas......
And help would be greatly appreciated, we have over 200 machines doing it, re-buils are out of the question, and port blocking on 888 is only a temporary measure.
Thanks heaps in advance,
Brett
Lets see what you think.
We were hit by a virus, we cleaned it, updated the machine to the latest definitions and updates from windows. But, Sygate.exe still appears and runs.
This is basically what we think it is and what it does:
- W32/Rbot-II is a worm which attempts to spread to remote network shares. It also contains backdoor Trojan functionality, allowing unauthorised remote access to the infected computer via IRC channels while running in the background as a service process.
- W32/Rbot-II spreads to network shares with weak passwords and via network security exploits as a result of the backdoor Trojan element receiving the appropriate command from a remote user.
- W32/Rbot-II copies itself to the Windows system folder as SYGATE.EXE and creates entries at the following locations in the registry with the value Sygate Personal Firewall so as to run itself on system startup, resetting them every minute:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
- W32/Rbot-II sets the following registry entries every 2 minutes:
HKLM\SOFTWARE\Microsoft\Ole\EnableDCOM = "N"
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous = "1"
- W32/Rbot-II attempts to delete network shares on the host computer every 2 minutes.
Our most common problem is the fact that it is sending out a DNS lookup to some king.tah"something".net then a IRC chat request to Name.service.net. It does this about every 5-6 seconds.
And the mor interesting thing is that nothing can find it. Norton, Panda, AVG all seem to fail, also adware programs cant find it either. Worm removal tools also fail.
Im out of ideas......
And help would be greatly appreciated, we have over 200 machines doing it, re-buils are out of the question, and port blocking on 888 is only a temporary measure.
Thanks heaps in advance,
Brett
