Richard; Reboot the server into SAFE MODE and then SCAN using a GOOD ANTI-VIRUS program. It's the only way to get rid of the A.EXE X.EXE and .EXE virus files as they lock themselves into memory as SERVICES once the server is infected and cannot be removed when the server is running in normal mode.
You will probably have to launch a MANUAL SCAN as many anti-virus programs will not auto-load in safe mode. The virus can also install itself onto Windows 95, 98, ME; Windows 2000 and Windows XP workstations. The virus activity DOES NOT show up in the task manager as the services generated by the virus are masked to the system. You'd best check your entire network if you have more than one server or computer and, if necessary, scan them all in SAFE MODE. If they have installed themselves onto XP or ME machines, you'll also need to disable the system restore service on the machines BEFORE running the virus scan in safe mode or the machines will just reinstall the virus when you reboot them. a.exe is registered as the [EMAIL PROTECTED] worm and is also detected as Trojan.KillAV.C; both of which are transmitted via both e-mail and unprotected internet connections, and attempts to install itself on your computer. It usually travels as an HTML attachment to e-mail but can also be an errant HTML web page that's become infected without the owners knowledge. We've had brand new machines infected prior to them being put into service because a tech "forgot" to install the AV product to the machine before he connected them to the internet. This is an especially fun virus to get rid of because of the way it infects the machine. When the machine is infected, usually because of an infected html file that is opened, the virus does following: Drops the q.vbs file and executes it. The q.vbs file does the following: Drops x.exe and executes it, which terminates security any programs. Downloads q.exe from a predetermined Web site and executes it. Drops and executes the following files: %Windir%\5845.exe %Windir%\msreg.exe %System%\svchostc.exe %System%\svchosts.exe Adds the value: "msreg.exe"="%Windir%\msrege.exe" to the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Downloads configuration information from predetermined Web sites, and then runs svchostc.exe and svchosts.exe with these configurations. By default svchosts.exe will open port 24759 and svchostc.exe will open port 14728. Adds the value: "putil"="%Windir%\5845.exe" to the registry key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run Connects to a predetermined SMTP server and sends email message to a certain email address. The message contains following information: Operating system version Registered user name Organization name AIM user accounts ICQ accounts Trillian accounts Ghisler Windows Commander and Total Commander information SMTP and POP email accounts and passwords You will then have to install an anti-virus program that scans everything on the server except the SPOOL and MAIL directories on a continuous basis to prevent these kinds of viruses from being reinstalled on your mail server again. I would also set Imail to prevent the receipt of any EXE, COM, VBS or other executable files via the SPAM filters. We scan and DELETE all executable file types, including ZIP files, in addition to having anti-spam software and firewalls - both hardware and software. These viruses can install themselves to any machine that's connected to the internet and not protected by both a FIREWALL and ANTI-VIRUS program. You need BOTH. Bruce Barnes ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Richard Farris Sent: Saturday, December 02, 2006 20:50 To: [email protected] Subject: [IMail Forum] Virus on Imail server Since 10/06/06 I have been fighting a virus on my mail server...was not too concerned about it until last week when it evidently helped me get blacklisted with spamcop, spamhause, UBL and some others....can anyone tell me how to get rid of it...I have tried everything to no avail.... The virus is putting "a.exe" and ".exe" in the winnt\system32 folder and or the C:\ drive Also it has 1x32.exe or 2X32.exe or 0X32.exe running in the Task Manager and it installs Numeric file in Registry... It also puts files like Hub101bl in the Internet.IE5 folder in Temporary Internet Files... Spamcop said I had a proxy virus that is sending out emails..maybe thru forms on server as this is my web server also..don't understand that but I don't doubt it.... I have made a temporary solution by relaying mail to a server that is not listed and so far in the past week it is OK...but the 65.240.164.10 server keeps getting blacklisted by one or more lists..I have declude hijack and have locked the server down by requiring all customers to go to server authentication..I thought that would stop it....NOT I can clean the server completely with F-Prot then Trojan Hunter and the next moring it is all back and I have to try to do the same thing over...sometimes the server will stay clean for days and sometimes just a few minutes...it is driving me crazy....anyone else out there ever experience this and if so how did you fix it... Many of my google serches have brought up Chinese web sites which may be the source....I am not sure.. This web site has a very good description of what I am seeing but has not helped me.. http://translate.google.com/translate?hl=en&sl=de&u=http://www.pc-magazin.de /internet/cm/virenecke/show_sophos.php%3Fid%3D3570&sa=X&oi=translate&resnum= 1&ct=result&prev=/search%3Fq%3D2x32.exe%2Bvirus%26hl%3Den%26lr%3D If you need anymore info let me know and if you thing you can help I will email you directly... Richard Farris Ethixs Online 1.270.247.5555 Office 1.800.548.3877 Tech Support "Crossroads to a Cleaner Internet" To Unsubscribe: http://www.ipswitch.com/support/mailing-lists.html List Archive: http://www.mail-archive.com/imail_forum%40list.ipswitch.com/ Knowledge Base/FAQ: http://www.ipswitch.com/support/IMail/
