Security Basics mailing list archives

RE: Possible worm infection or something else?

From: "Rama Rao Adharapurapu" <RamaRao.Adharapurapu () halliburton com>
Date: Mon, 1 Dec 2003 10:50:03 -0600

This looks like Welchia worm, which removes blaster, try running welchia
removal tool in safe mode, available at
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm
.html

Check KB824146 is applied! And reboot.
Regards,
Ramu

-----Original Message-----
From: Firefly Digital Media [mailto:brian () fireflydigitalmedia com] 
Sent: Friday, November 28, 2003 5:48 PM
To: Giancarlo Ballestracci - IT & Technical Support
Cc: security-basics () securityfocus com; focus-virus () securityfocus com
Subject: RE: Possible worm infection or something else?

I had the same problem with an XP machine, it ended up being junky
drivers.
(HP junk)
Is your system in question a Hewlett Packard?

Brian

-----Original Message-----
From: Giancarlo Ballestracci - IT & Technical Support
[mailto:giancarlo.ballestracci () progenit it]
Sent: Friday, November 28, 2003 3:41 AM
To: security-basics () securityfocus com; focus-virus () securityfocus com
Subject: Possible worm infection or something else?
Importance: High


Hi The Group,
I hope someone get me a good advice about this problem. I have a
notebook
with multiboot startup (2 Win2k, 1 WinXP). On the first partition Win2k,
svchost.exe take the 100% of CPU's resources. The system is regularly
patched (SP4 and all the latest Hot Fixes), personal firewall and
Antivirus
clients updated. Scans with Symantec and Trend Micro have nothing found.
I've tried to shut down all the services possible, without good result.
I've
also removed the last six applications installed on: nothing happen.
Only in
safe mode (clear...), the CPU work fine.
It's possible that a (new) worm sleep inside the client? Initially, I
have
thought about a Blaster Worm... I've checked also the system registry,
but
nothing strange in on RUN key of LOCAL MACHINE.

Anybody can light me?

Thanks in advance

Giancarlo
IT Manager


------------------------------------------------------------------------
---
------------------------------------------------------------------------
----





------------------------------------------------------------------------
---
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

RE: Possible worm infection or something else? Firefly Digital Media (Dec 01)
- <Possible follow-ups>
- RE: Possible worm infection or something else? Kris Wingard (Dec 01)
- RE: Possible worm infection or something else? Rama Rao Adharapurapu (Dec 01)
- RE: Possible worm infection or something else? James Arnott (Dec 02)
- RE: Possible worm infection or something else? Joey Matesic (Dec 02)
- RE: Possible worm infection or something else? Mike_Carter (Dec 02)
- RE: Possible worm infection or something else? Osvaldo Casagrande (Dec 02)
- Re: Possible worm infection or something else? Jimi Thompson (Dec 08)
  - RE: Possible worm infection or something else? Fraser Morris (Dec 09)
- RE: Possible worm infection or something else? Fraser Morris (Dec 09)