Re: sys32.pif & msdos-1.pif & msdos.pif

["Barbara Chung (DURTSCHI)" <bchung () MICROSOFT COM>]

The attacker had full control of the computer, and probably put a
backdoor in there.  That's not entirely relevant though, because there's
no way for you to know what they have done-you can't trust the machine.
The best course is to flatten the machine, and reset the passwords of
any account that was used to logon to it. If this machine is a member of
a domain, and a domain admin logged onto the machine, there will be a
lot more to do.   If you need help with this issue please let me know.

 

Barbara Chung, CISSP, CISM

Security Advisor, Education

Cell:  917-592-0185

________________________________

From: Laurie Coles [mailto:lcoles () CBU EDU] 
Sent: Monday, September 19, 2005 2:55 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] sys32.pif & msdos-1.pif & msdos.pif

 

We have been having continual problems with a worm. We started out with
msdos.pif running in the processes and it was also in the registry. I
was able to find a tool to remove this worm. I then patched the computer
with the most updated patches from Microsoft. Then I started seeing
msdos-1.pif, now I'm seeing sys32.pif. These PCs have previously had
this worm removed and have been patched. Has anybody else been seeing
this type of problem. I cannot find anything on the internet about the
sys32.pif. Thanks, Laurie Coles

 

Laurie L. Coles

Director of Network Services

901-321-3480