Tech Support Forum banner
Cancel

is this Zotob???

1503 Views 2 Replies 3 Participants Last post by  MicroBell
S
Hi,

I have been attacked on both of my Win2K Server machines beginning Sunday. The first indication is an automatic shutdown brought on by NTAUTHORITY/services.exe with an error code of 128. This only happens if my machine is hooked to the internet. All characteristics seem to indicate that this is the Zotob virus, but I'm not positive.

I have also discovered some .exe files in my %systemroot%/system32 folder(which I've moved/deleted). Here are some of the file names:

eq (script that opens an IP, gets an .exe file and quits)
svnlitup32.exe (the file 'gotten' by the 'eq' script)
i (script that opens an IP, gets an .exe file and quits)
eraseme_63770.exe (file used in the 'i' script)
mousebm.exe
o (script that opens an IP, gets an .exe file and quits)
winpnp.exe (file used by the 'o' script)
I also noticed a strange directory in my C: called 'BankApp' that appeared several days before this attack. Possibly related?

I am running out of options since my AVG scan comes back clean, and my HJT log seems clean as well. I just want to get my main web machine on the 'net without unwanted shutdowns. I am also nervous as to how this happened in the first place.

I have my OS set to auto-install all security updates.

Todd
Save
Like
Status
Not open for further replies.
1 - 3 of 3 Posts
Geekgirl
Hello and Welcome to TSF

If you didn't have a trained analyst look over your HJT log Download and install: HiJackThis.

(Always create a Folder for HiJackThis anywhere but your Temp/Temporary Internet Folders or Desktop. A good place to make a folder would be in My Documents, as this is where it will save the backup files needed if there's a problem.)

Then doubleclick HijackThis.exe, and hit "Do A System Scan And Save Log". Make sure all Windows and Browsers are closed.
When the scan is finished, best to save your text file in the same folder as where you put HiJackthis.

IMPORTANT
Create a New Topic and include a fresh HJT log in the HiJackThisLog Help Forum and Copy/Paste the info from your saved Hijackthis log file into your new topic.

A Moderator/ Security Team Analyst will give you instructions.


***DO NOT TRY TO FIX ANYTHING, MAJOR DAMAGE CAN BE DONE TO YOUR SYSTEM IF THIS TOOL IS USED INCORRECTLY, PLEASE WAIT FOR AN ANALYST/MODERATOR TO GIVE YOU INSTRUCTIONS***

Always describe your problem and any programs you have used to try to resolve your issue. Your description can go a long way to solving/repairing your particular issue.
See less See more
Save
Like
MicroBell
Unsure. The first part of your message about the NTAUTHORITY shutdown does sound like it. However some of the files you listed are standard malware files and unrelated.

To confirm you have Zotob virus...

Look for these files in the system folder...per.exe, botzor.exe, cms.exe

Also check your RUN keys in the registry for the following entrys...

WINDOWS SYSTEM= per.exe
WINDOWS SYSTEM=botzor.exe
WINDOWS SYSTEM=cms.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Note* There's some other versions of this worm...so you may find other files in the entrys. The main giveaway would be that WINDOWS SYSTEM entry in the Key.


Install security update MS05-039 <--This is the MS Updated needed to block the exploit the worm uses. Here is the removal instructions if you have the worm..

http://www.microsoft.com/security/incident/zotob.mspx
See less See more
Save
Like
1 - 3 of 3 Posts
Status
Not open for further replies.
Tech Support Forum
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Windows XP Support Windows 7 , Windows Vista Support Motherboards, Bios|UEFI & CPU Networking Support Laptop Support
Top