Re: win2kup2date.exe ?

[James Tucker <jftucker () gmail com>]

<snippage>

Hi all,

   A recommendation for anyone in this situation, try using a copy of
BartPE (http://www.nu2.nu/pebuilder/) and McAffee to detect the files.
I have watched one of these variants actively attack a copy of Norton
Antivirus. Furthermore, the worm in question which I observed started
to hide its executables on parts of the disk it flagged as "damaged"
and windows begun to report this information. Ad-aware was also
installed on the machine, and after the fight begun, Ad-aware was also
corrupted on the disk. At this time there is no way to verify if this
was truly caused by the infection, although as there was no genuine
corruption found after we cleaned the disk I suspect that what I am
suggesting is accurate.

BartPE has the ability to run Ad-Aware and McAffee from a cleanly
booted OS (booted from CD) and will mount all NTFS drives on the local
system. Those of you lucky enough to have supported network cards can
get network access too. This is what I use as a last line of recovery
for systems with heavy infection loads. Be warned that some malware /
viruses are placing themselves in portions of the OS that sometimes
need replacing later. The common two are fixed by a "sfc /scannow" and
the other is fixed by repairing the TCP/IP stack using the netsh
command. Windows 2000 is more difficult and I can't remember the fixes
off the top of my head. After this level of infection, where
appropriate I would still recommend a format anyway.

Good luck with your recoveries,

J.

P.S. If read at any time, thank you to Bart and Co, this is one of the
most useful projects you have done, your bootdisks have been a long
standing toolset in my collection.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html