Security Basics mailing list archives

RE: Possible worm infection or something else?

From: "Fraser Morris" <frasermorris74 () hotmail com>
Date: Tue, 9 Dec 2003 11:23:00 -0000

I cleared an Agobot worm from a clients machine last week with those
symptoms, take a look at

W32/Agobot-BD
http://www.sophos.com/virusinfo/analyses/w32agobotbd.html
W32/Agobot-BE
http://www.sophos.com/virusinfo/analyses/w32agobotbe.html
W32/Agobot-BF
http://www.sophos.com/virusinfo/analyses/w32agobotbf.html
W32/Agobot-BH
http://www.sophos.com/virusinfo/analyses/w32agobotbh.html

HTH, Fraser

-----Original Message-----
From: Jimi Thompson [mailto:jimit () myrealbox com]
Sent: 06 December 2003 00:29
To: security-basics () securityfocus com
Cc: focus-virus () securityfocus com
Subject: Re: Possible worm infection or something else?


Sounds more like spyware than a virus if your AV software isn't catching
anything.  Try running SpyBot or Adaware.

HTH,

Jimi

Giancarlo Ballestracci - IT & Technical Support wrote:

Hi The Group,
I hope someone get me a good advice about this problem. I have a notebook
with multiboot startup (2 Win2k, 1 WinXP). On the first partition Win2k,
svchost.exe take the 100% of CPU's resources. The system is regularly
patched (SP4 and all the latest Hot Fixes), personal firewall and Antivirus
clients updated. Scans with Symantec and Trend Micro have nothing found.
I've tried to shut down all the services possible, without good result.

I've

also removed the last six applications installed on: nothing happen. Only

in

safe mode (clear...), the CPU work fine.
It's possible that a (new) worm sleep inside the client? Initially, I have
thought about a Blaster Worm... I've checked also the system registry, but
nothing strange in on RUN key of LOCAL MACHINE.

Anybody can light me?

Thanks in advance

Giancarlo
IT Manager


---------------------------------------------------------------------------
---------------------------------------------------------------------------




---------------------------------------------------------------------------
----------------------------------------------------------------------------

--
Virus scanned by edNET.

---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.545 / Virus Database: 339 - Release Date: 27/11/2003
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.545 / Virus Database: 339 - Release Date: 27/11/2003

-- 
Virus scanned by edNET.

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

RE: Possible worm infection or something else? Firefly Digital Media (Dec 01)
- <Possible follow-ups>
- RE: Possible worm infection or something else? Kris Wingard (Dec 01)
- RE: Possible worm infection or something else? Rama Rao Adharapurapu (Dec 01)
- RE: Possible worm infection or something else? James Arnott (Dec 02)
- RE: Possible worm infection or something else? Joey Matesic (Dec 02)
- RE: Possible worm infection or something else? Mike_Carter (Dec 02)
- RE: Possible worm infection or something else? Osvaldo Casagrande (Dec 02)
- Re: Possible worm infection or something else? Jimi Thompson (Dec 08)
  - RE: Possible worm infection or something else? Fraser Morris (Dec 09)
- RE: Possible worm infection or something else? Fraser Morris (Dec 09)