Printable View
Prophet,
I haven't downloaded anything lately. And why would it come back after restoring a previous image from a month ago?
After deleting one more file in the windows registry (that thing was everywhere), I went to Housecall and ran their online scan on ALL of my drives. It shows I'm clean.
Your link gives me a blank page. :confused: Got another one?
I particularly like the part of prophet's link that says Discovered on: September 30, 2002 :)
The fixed link is
http://securityresponse.symantec.com...serv.worm.html
There's been a boom in UDP port 137 activity since about the 26th - and this is network aware - I wonder ??
Well I discovered it on the 28th. :D
Thanks for the link. I also just deleted the tmp.ini file. According to Symantec, maybe I should create a new one?
Nope. windows doesn't use one - and if it was me I'd like to know if something else was re-creating it - but if you do that as symantec suggests in an attempt to prevent re-innoculation - then mark it read only (and perhaps hidden?).
Didn't mail me that file either I see :D
Actually, it's still in the recycle bin. Do you want it? :D
Yup - zip it first tho'
[email protected]
temp.zip is on it's way. :)
Got it - thx.
Guess using ZA - you probably have no reference to which port it wanted?
Here's a pretty picture :)
http://isc.incidents.org/port_details.html?port=137
Glad you got it. I'm gonna delete it for good now. :) No idea what port. My internet access was down Saturday and Sunday and I had already deleted it by the time access was restored today.
The only reason I noticed it was because ZA said it was trying to access the LAN.
Strange that I was surfing Friday nite when the file was apparently created the first time and ZA didn't report it trying to access the net. Could be I had to reboot before it was activated?
Nice picture. That's quite a jump. :eek:
Could be I had to reboot before it was activated?
Very likely as it loads through Run keys and the "win.ini" file.
That tmp.ini file appears to be a win.ini file which contains:
[windows]
load=
run=c:\windows\scrsvr.exe
ScreenSaveActive=1
ScreenSaveTimeOut=60
lines. (some elements which relate to your printer - I've removed from the section)
I haven't looked through it thoroughly yet.
Is there anything in c:\windows\wininit.bak - or is there a wininit.ini?
Crazy thought, but I allow WinMx to act as a server thru ZA. Don't remember if I was downloading anything with it friday nite, but it would have been a couple of files I had started some time ago and was trying to complete. Those particular files show up clean on the housecall scan though.
Could something have "sneaked" in thru the WinMx server?
If so, that is really scary.
OK...this is crazy. It's back. I'm gonna zip it and send it to you.
I also removed winmx from ZA permissions completely and deleted the partial downloads I had.
Don't know enough about WinMX to say but I see no reason why not.
Those particular files show up clean on the housecall scan though.
Discovered on: September 30, 2002
What are the odds it's in their signature files yet? From what little I know about it at this point - it sure seems easy to detect (hope that lasts - but...)
They have it.
Opasoft
(Sorry. This thread should have been in Internet Security/Viruses. Didn't know what it was going to turn into.)
True - but at this point I'll bet it's a lot easier to detect the infection rather than the infector. (assuming there is a file that will spread it as well as simple net shares)