Hi,
A slight addendum to your instructions.
[.]
Then reboot the server. After rebooting, you will now be able to delete
the two offending files. They are located in:
c:\winnt\system32\mousebm.exe
c:\winnt\system32\mousesync.exe
Before rebooting my server I allways RENAME a
Before rebooting my server I allways RENAME a dangerous file...
..maybe this will not work as long as the processes run and can't be stopped
in the task manager. But if possible I too rename the original malware file
and create a new one. (new empty textfile renamed to the previous filename)
Kim,
This most likely wasn't from an infected JPG. This vulnerability is
attacked through TCP ports:
Microsoft Security Bulletin MS05-039
Vulnerability in Plug and Play Could Allow Remote Code Execution and
Elevation of Privilege (899588)
PROTECTED] On Behalf Of Kim Premuda
Sent: Wednesday, August 17, 2005 5:43 AM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] VIRUS WARNING
To all...
I posted this warning to the IMail list as well as the
Declude list, and someone responded with the following link
Thanks for the heads up, Kim. If you still have the files, you can do a
couple more things to help the wider community:
Password protect them in a zip file and submit the samples to:
The handlers at the SANS Internet Storm Center, who love to chase down
new mailware and will share with vendors:
] On Behalf Of Colbeck, Andrew
Sent: Tuesday, August 16, 2005 06:33 PM
To: Declude.JunkMail@declude.com
Subject: RE: [Declude.JunkMail] VIRUS WARNING
Thanks for the heads up, Kim. If you still have the files, you can do a
couple more things to help the wider community:
Password protect them
I blocked it with declude Junkmail using this in a myfilter :
BODY 15 CONTAINS TVqQAAME//8AAL
BODY 15 CONTAINS UEsDBAoAAI2aUjBdbrA
Thanks,
Chris Patterson, CCNA
Network Engineer
Rapid Systems
(813)232-4887 Ext. 112
[EMAIL PROTECTED]
Managed Spam Filtering and Anti-Virus
