Strange Virus (sys32 in TEMP file)

[pacewhoplaybass]

As of late, my computer has been running on the slow side, so I opened C:\Windows\TEMP and started deleting some files that I recognized as leftovers from installations, and I stumbled upon a folder named 'sys32' that contained gigabytes' worth of files, all ranging from 300-500k. This, on its own wouldn't have raised an eyebrow, but it seems to be regenerating itself every time I reboot. What's more, the files are being re-downloaded from the point I start Windows, and since I have cable internet access, they amass themselves rather quickly. I ran both Norton and Ad-Aware and they came up empty-handed, so i searched the registry for sys32 files and found nothing yet again.

I'm not really sure how to classify this problem, but I'm pretty sure it's a benign virus that just continues to download junk files to slow down my computer, as I have not seen any other ill effects.

Any information that might aid me in ridding myself of these soulless files would be heartily appreciated.

 

[Kento]

It's a new trojan you got from Kazaa. Download and run The Cleaner which is free to try. It should clean it up for you.

http://www.moosoft.com

Or you can try to get rid of it manually. Click start--run--type regedit--ok. Doubleclick on each of these:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

Open the Run key and you should see this in the right pane:

System-Service"="C:\\WINDOWS\\SYSTEM\\EXPLORER.SCR

Delete that entry.

Then go here:

HKEY_LOCAL_MACHINE\Software\Microsoft

Open the Microsoft key and see if you see this in the right pane:

"syscod"="0065D7DB20008306B6A1"

If yes delete it.

Then close regedit and restart the computer. After restarting find and delete Explorer.scr. It should be in the System folder. If it won't delete due to an access denied error then delete it from safe mode. Then delete the whole Sys32 folder in your C:\Windows\Temp folder.

 

[Kento]

I have a correction. The "syscod"="0065D7DB20008306B6A1" entry I mentioned would probably appear as a Subkey under Microsoft rather than appearing in the right pane of the Microsoft key.

 

[FatesWebb]

JS/SQLSpida.worm (listed both Spida.a and Spida.b versions)
McAfee AVERT Assessment: LOW

This worm targets Microsoft SQL servers. It probes the Internet for SQL servers on port 1433 and compromises those servers using the default SQL administrator account "SA". SQL administrators should take appropriate action to ensure that the "SA" account is not vulnerable. For information on securing your SQL server see: SQL Server w/ Blank SA Password Opens Vulnerability to Worm.

NOTE:
THIS IS NOT AN SQL VULNERABILITY! This virus is spread due to insecure systems.

VARIANT "A"

Once a SQL server has been accessed, the worm creates the NT user "sqlagentcmdexec", sets a password on that account, adds the user to the local administrators group and adds the user to the "Domain Admins" group.

The worm then writes several files to the compromised server and kicks off the propagation routine.

VARIANT "B"

Once a SQL server has been accessed, the worm activates the NT user guest, sets a password on that account, adds the user to the local administrators group and adds the user to the "Domain Admins" group.

The worm then writes several files to the compromised server and kicks off the propagation routine.

SYMPTOMS
Presence of the following files:

%WinDir%\system32\drivers\services.exe
%WinDir%\system32\sqlexec.js
%WinDir%\system32\clemail.exe
%WinDir%\system32\sqlprocess.js
%WinDir%\system32\sqlinstall.bat
%WinDir%\system32\sqldir.js
%WinDir%\system32\run.js
%WinDir%\system32\timer.dll
%WinDir%\system32\samdump.dll
%WinDir%\system32\pwdump2.exe
METHOD OF INFECTION
This worm uses several files to accomplish its task.

services.exe - A port scanning utility
sqlexec.exe - Establishes the SQL connection and initiates the xp_cmdshell commands.
clemail.exe - A command line SMTP emailer tool
sqlprocess.js - Calls SQLDIR.JS, IPCONFIG /ALL, and PWDUMP redirecting the output of each tool to SEND.TXT. The contents of SEND.TXT are placed into the body of an email message and sent to the addresses: "system@digitalspider.org", "system@hiddennet.org", "system@infinityspace.net. The worm attempts to delete the files that it created.
sqlinstall.bat - Creates the NT account as described in the Characteristics section of this description; Copies the files mentioned here to the target system, and activates SQLPROCESS.JS on the remote system.
sqldir.js - Tool to display database information
run.js - Shell run tool
timer.dll - Contains timer function
samdump.dll - Used by PWDUMP2.EXE
pwdump2.exe - Dumps the SAM database
The worm scans port 1433 on the following IP addresses, and infects systems that are vulnerable:

IP = A.B.C.D where:

A = random number [not equal to] 10 or 127 or 172 or 192
B = random number 0 - 255
C = 1-255
D = 1-254
REMOVAL
Detection will be completely performed by DAT 4204 found here.

-- Manual Removal Instructions --
Delete all files mentioned in the Symptoms section of this description.

Securing your SQL server (see SQL Server w/ Blank SA Password Opens Vulnerability to Worm)

Also make sure you have a secure password for your SA account or any administrator account.

W32/Benjamin.worm
McAfee AVERT Assessment: LOW

When this worm is run, it copies itself to %WINDIR%\SYSTEM\EXPLORER.SCR, where %WINDIR% is the directory Windows is installed in. Then it adds the registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Run\SystemService=%WINDIR%\SYSTEM\EXPLORER.SCR
To spread, the worm requires that the Kazaa software is installed on the machine. It creates a directory called %WINDIR%\TEMP\SYS32, and changes the Kazaa settings so that remote users can download from this directory. Then it copies itself to that directory under many different names which other users may search for. The size of these files can vary since the worm pads them with garbage bytes. This method of spreading is comparable to the VBS/GWV worm.

SYMPTOMS

Presence of EXPLORER.SCR and registry key pointing to it.
Presence of %WINDIR%\TEMP\SYS32 and many files inside.
METHOD OF INFECTION
Since this worm offers itself over the Kazaa network under names that users may find tempting, users who are not infected may download and run the worm from infected machines, and thus spread the worm themselves. Again, this worm spreads via the KAZAA sharing software.

REMOVAL
Detection and removal will be possible with DAT 4204 found here.

FatesWebb

if you do what I suggested it is not my fault...