Virus?(yahoo update and DSL.exe)

[sdorff]

We have a Win2k network with Win2k Pro PC's. We got choked by network traffic. As far as we can tell it was sending a ton of stuff out port 445. The process that we found to cause problems was "yahoo update" and the file was DSL.exe.

Anyone had this or know of a solution?

Thanx,
sdorff

 

[jbrackett]

Sounds similar to (but not quite identical to) something I ran into last weekend. Have you checked your domain controller security logs? If you find that there are certain machines/ip addresses that are repeatedly hitting generic administrative accounts, then you may be up against the same thing I was. See my earlier thread "Winsit.dll flooding network / hammering admin accounts" (thread760-931724).

Short list of our symptoms:
1. Single process running & throwing errors to desktop.

2. Domain controller logs listing literally thousands of logon failures from the same desktops, attempting to logon with accounts such as admin, administrateur, administrada,

http://wwwadmin,

adm1n, sql_mgr, etc., at the rate of anywhere from 6 to 20 times per second, per desktop.

3. Process extremely resistant to closure (had to use PSKill commands, or Killbox in every instance).

4. Process executable resident in system32 folder, and cannot be deleted ("Access denied" error at each attempt).

5. Related registry entry in HKLM/system/Controlset001(also check 002/003)/enum/root/legacy_(executable name)

If this is similar to what you're running into, I'd suggest you get a sample of your DSL.exe file to your AV provider for analysis. In my case, we use McAfee and I was able to submit via

http://www.webimmune.com

directly from an infected machine through their webscan feature. McAfee analized the sample (though it took three days) as infected with a new variant of SDBot/worm, sent me an Extra.dat that I was able to push via ePO, and our network was completely clean within two days.

Manual removal instructions (assuming your symptoms match) that I found successful until I received the Extra.dat.

1. XP boxes - turned off system restore.

2. Used Killbox or PSKill commands to stop running process.

3. Found that, while the executable that was in system32 folder would not allow deletion, it would allow me to rename it. Renamed to "deleteme.now" and was able to then change security settings and delete it.

4. Used regedt32 to navigate to the HKLM entry mentioned above, changed security settings to allow "Everyone" deletion rights, then deleted it.

5. Searched hard drive for any further instances of the executable and deleted them as found.

I know you may have something completely different, but there is the chance you have yet another variant of the same bugger.

Best of luck to you. Let us know your results.

_{"The Crystal Wind is the storm, and the storm is data, and the data is life. You have been slaves, denied the storm, denied the freedom of your data. That is now ended; the whirlwind is upon you . . . . . . Whether you like it or not."}

^{"Trent the Uncatchable" in The Long Run by Daniel Keys Moran}

 

[jbrackett]

Quick correction.

I mentioned "webimmune.com" - that should be "

http://www.webimmune.org".

Sorry about that.

_{"The Crystal Wind is the storm, and the storm is data, and the data is life. You have been slaves, denied the storm, denied the freedom of your data. That is now ended; the whirlwind is upon you . . . . . . Whether you like it or not."}

^{"Trent the Uncatchable" in The Long Run by Daniel Keys Moran}

 

[sdorff]

We have found out that it is WORM_RBOT.TK