Re: [Clamav-users] New virus/worm? mousebm.exe, eraseme_XXXXX.exe and svnlitup32.exe
Hi Thomas, I grabbed the latest McAfee SuperDAT and extracted it. I ran scan.exe from the command line like this: scan c:\ /all /sub /clean /log c:\vscan.log It reported no viruses. Every time I try to install McAfee on the machine, I get an error saying The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows installer is not correctly installed. Contact your support personnel for assistance. I think I'm screwed. This sound familiar to anyone? Well ClamAV flagged your email as being Trojan.Downloader.FTP.Gen-4 so I guess it picked up on one of the program names you mentioned. Perhaps this might give you a clue what to look for? -- Regards, Peter Kiem Zordah IT - IT Consultancy and Internet Services Ph: (0414) 724-766 Fax: (07) 3344-5827 Web: www.zordah.net Email: [EMAIL PROTECTED] ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] New virus/worm? mousebm.exe, eraseme_XXXXX.exeand svnlitup32.exe
Hi Thomas, I grabbed the latest McAfee SuperDAT and extracted it. I ran scan.exe from the command line like this: scan c:\ /all /sub /clean /log c:\vscan.log It reported no viruses. Every time I try to install McAfee on the machine, I get an error saying The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows installer is not correctly installed. Contact your support personnel for assistance. I think I'm screwed. This sound familiar to anyone? Well ClamAV flagged your email as being Trojan.Downloader.FTP.Gen-4 so I guess it picked up on one of the program names you mentioned. Perhaps this might give you a clue what to look for? Yup, this morning I've had several reports from others who have been fighting this critter. Looks like it's an IRCBot variant or maybe SDBot. Thanks to all who replied! Thomas ___ http://lurker.clamav.net/list/clamav-users.html
[Clamav-users] New virus/worm? mousebm.exe, eraseme_XXXXX.exe and svnlitup32.exe
All - I am posting this here because this group knows more about viruses than anyone I know. Forgive me if this is OT. I have a Windows 2000 server which somehow got connected to the 'Net without AV software on it. Now there is a new service called Mouse Button Monitor which is controlled by %windir%\system32\mousebm.exe. I also found the following files in %windir%\system32 which appear to be new: 08/15/2005 09:00p 8,201 .exe 08/15/2005 12:42p 1,518 eq 08/15/2005 11:28a 0 eraseme_61087.exe 08/15/2005 11:28a 71 i 08/15/2005 08:39a 8,201 mousebm.exe 08/14/2005 04:00p 0 svnlitup32.exe The file called .exe has the system and hidden attributes set. I deleted the files from system32 but they re-appear after a reboot. I try to stop the Mouse Button Monitor using net stop mousebm /y and I get: C:\DOCUME~1\ADMINI~1\Desktopnet stop mousebm /y The requested pause or stop is not valid for this service. More help is available by typing NET HELPMSG 2191. The stop and pause buttons are greyed out for the Mouse Button Monitor service. The file i contains entries like this: open 24.173.15.63 16670 user 1 1 get eraseme_61087.exe quit The file eq contains pages and pages of entries which look like this: open 24.173.252.20 10082 user 23107 28392 get svnlitup32.exe quit open 24.173.144.52 1317 user 17789 4406 get svnlitup32.exe quit open 24.173.2.21 30380 user 31975 3371 get svnlitup32.exe quit open 24.173.2.116 14953 user 16493 3501 get svnlitup32.exe quit I grabbed the latest McAfee SuperDAT and extracted it. I ran scan.exe from the command line like this: scan c:\ /all /sub /clean /log c:\vscan.log It reported no viruses. Every time I try to install McAfee on the machine, I get an error saying The Windows Installer Service could not be accessed. This can occur if you are running Windows in safe mode, or if the Windows installer is not correctly installed. Contact your support personnel for assistance. I think I'm screwed. This sound familiar to anyone? Thomas ___ http://lurker.clamav.net/list/clamav-users.html
Re: [Clamav-users] New virus/worm ???
Yep! - Original Message - From: Michael Brennen [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, August 09, 2004 12:58 PM Subject: [Clamav-users] New virus/worm ??? Just in the last few minutes I've started getting hit with several copies of a a zip packaged exe file from widely varying sources. The names are of the form 'price.*\.zip'. I've submitted a copy online and it was accepted. Anyone else seeing this? -- Michael --- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users !DSPAM:4117bca185706315579739! --- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] New virus/worm ???
On Mon, 9 Aug 2004 12:58:52 -0500 (CDT) Michael Brennen [EMAIL PROTECTED] wrote: Just in the last few minutes I've started getting hit with several copies of a a zip packaged exe file from widely varying sources. The The database has been updated on 17.00 GMT. names are of the form 'price.*\.zip'. I've submitted a copy online and it was accepted. Anyone else seeing this? Our interface is temporarily broken and doesn't reeject those files. Please do not submit them. -- oo. Tomasz Kojm [EMAIL PROTECTED] (\/)\. http://www.ClamAV.net/gpg/tkojm.gpg \..._ 0DCA5A08407D5288279DB43454822DC8985A444B //\ /\ Mon Aug 9 20:23:15 CEST 2004 pgpRFbijB5ztg.pgp Description: PGP signature
Re: [Clamav-users] New virus/worm ???
On Monday, August 9, 2004, 7:58:52 PM, Michael Brennen wrote: MB Just in the last few minutes I've started getting hit with several MB copies of a a zip packaged exe file from widely varying sources. The MB names are of the form 'price.*\.zip'. I've submitted a copy online MB and it was accepted. Anyone else seeing this? MB-- Michael MB --- MB This SF.Net email is sponsored by OSTG. Have you noticed the changes on MB Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, MB one more big change to announce. We are now OSTG- Open Source Technology MB Group. Come see the changes on the new OSTG site. www.ostg.com MB ___ MB Clamav-users mailing list MB [EMAIL PROTECTED] MB https://lists.sourceforge.net/lists/listinfo/clamav-users Please run freshclam asap. -- Best regards, Christophmailto:[EMAIL PROTECTED] --- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] New virus/worm ???
Just in the last few minutes I've started getting hit with several copies of a a zip packaged exe file from widely varying sources. The names are of the form 'price.*\.zip'. I've submitted a copy online and it was accepted. Anyone else seeing this? We were seeing a bunch, however, new signatures are catching it. John -- John Madden UNIX Systems Engineer Ivy Tech State College [EMAIL PROTECTED] --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] New virus/worm ???
At 10:58 AM 8/9/2004, Michael Brennen wrote: Just in the last few minutes I've started getting hit with several copies of a a zip packaged exe file from widely varying sources. The names are of the form 'price.*\.zip'. I've submitted a copy online and it was accepted. Anyone else seeing this? Tons of 'em. Run freshclam -- update 444 picks it up as Trojan.JS.RunMe. Kelson Vibber SpeedGate Communications www.speed.net --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] New virus/worm ???
On Mon, Aug 09, 2004 at 12:58:52PM -0500, Michael Brennen said: Just in the last few minutes I've started getting hit with several copies of a a zip packaged exe file from widely varying sources. The names are of the form 'price.*\.zip'. I've submitted a copy online and it was accepted. Anyone else seeing this? Yes - it contains an executable, price.exe. clam is not currently picking it up as a virus. I was going to submit it, but if you already have, I'll hold off. -- -- | Stephen Gran | * knghtbrd can already envision:| | [EMAIL PROTECTED] | Subject: [INTENT TO PREPARE TO PROPOSE | | http://www.lobefin.net/~steve | FILING OF BUG REPORT] Typos in the | || policy document| -- pgpwvLq0R3Sfq.pgp Description: PGP signature
Re: [Clamav-users] New virus/worm ???
Michael Brennen said the following on 8/9/2004 7:58 PM GMT+2: Just in the last few minutes I've started getting hit with several copies of a a zip packaged exe file from widely varying sources. The names are of the form 'price.*\.zip'. I've submitted a copy online and it was accepted. Anyone else seeing this? -- Michael Run freshclam. daily 444 detects the price zip as Trojan.RunMe. The price.exe has some urls inside it, if you wget that 2.jpg you get a Worm.Bagle.AI, which made it into daily 445. Regards, Niek Baakman --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] New virus/worm ???
On Mon, 9 Aug 2004, Tomasz Kojm wrote: On Mon, 9 Aug 2004 12:58:52 -0500 (CDT) Michael Brennen [EMAIL PROTECTED] wrote: Just in the last few minutes I've started getting hit with several copies of a a zip packaged exe file from widely varying sources. The The database has been updated on 17.00 GMT. Updates are run hourly at *:43; looks like the 13:43 update got it, as Trojan.JS.RunMe is now being caught. Next time I'll run freshclam manually first. Thanks much. -- Michael --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
Re: [Clamav-users] New virus/worm ???
- Original Message - From: Michael Brennen [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, August 09, 2004 1:58 PM Subject: [Clamav-users] New virus/worm ??? Just in the last few minutes I've started getting hit with several copies of a a zip packaged exe file from widely varying sources. The names are of the form 'price.*\.zip'. I've submitted a copy online and it was accepted. Anyone else seeing this? -- Michael Yea, I've gotten atleast 22 of them in the past hour from the Mod_SSL lists If it's not one thing it's another :/ --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users