RE: Hacked

["Mauricio Fernandez" <mfernandez () fdta-valles org>]

Yes, that was exactly what I do and the virus was removed...
Now, I need to realize the way that the hacker put that on my server...

Thanks...

Mauricio Fernández S.
IT Manager
Tel. 591- 445-25160
Fax. 591- 441-15056
mfernandez () fdta-valles org
www.fdta-valles.org
Cochabamba - Bolivia

-----Original Message-----
From: P. Rodriguez [mailto:prodriguez () deltum com] 
Sent: Thursday, April 14, 2005 2:31 PM
To: mfernandez () fdta-valles org
Subject: RE: Hacked
Importance: High

Try this:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_PARITE.
B

Got it from
http://www.experts-exchange.com/Security/Win_Security/Q_20676310.html,
which
is #2 when you google for 'pe_parite.b'.

 

-----Original Message-----
From: Mauricio Fernandez [mailto:mfernandez () fdta-valles org] 
Sent: Thursday, April 14, 2005 10:46 PM
To: security-basics () securityfocus com
Subject: Hacked

This morning I found a wwwhack window opened on one of my w2k servers,
antivirus agent was deleted (TrendMicro) and when I reinstall it back, it
found about 4500 viruses named PE_PARITE.B

Now the virus is still regenerating itself creating files on winnt\temp
folder, I saw the task list and stopped all the suspicious process, but
the
virus still goes on...

The virus/hacker created a folder named RADMIN, where he copied these
files:
r_server.exe
admdll.dll
hide.reg
raddrv.dll
pro.bat
start.bat

Does anyone knows how to remove this virus and avoid this hack
vulnerability?


Mauricio Fernández S.
IT Manager
Tel. 591- 445-25160
Fax. 591- 441-15056
mfernandez () fdta-valles org
www.fdta-valles.org
Cochabamba - Bolivia

Attachment: smime.p7s
Description: