Need help identifying this worm/virus...

Need help identifying this worm/virus...
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Microsoft Antivirus Discussions    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Need help identifying this worm/virus... Taed Wynnell 08-30-2007
Posted by Taed Wynnell on August 30, 2007, 4:29 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
A large customer of ours has a worm/virus running through their network. It
seems to only be affecting their WinNT 4.0 machines which aren't running any
anti-virus program. (Yeah, yeah, they know.) However, the Microsoft
patches are up-to-date on the key ones, though MS stopped releasing WinNT
patches long ago.

The symptoms are:
-- CMD.EXE is running at 100% CPU, slowing down the system immensely.
-- There is only one CMD.EXE on the system and it is identical to the
one on "clean" WinNT machines.
-- There are multiple processes named "Realteks.exe" running. (There
is no Realtek hardware in the systems.)
-- The Registry key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run"
has the value "Windows Network Service" added and set to "Realteks.exe".
-- However, a search of the hard drive finds no Realtek* files.
-- A reboot seems to clear up the "infection", so it seems that it was
running in memory only.

Based on the Registry value, I suspect W32/Rbot-NT or W32/SDBOT.worm, but
what virus scans we've been able to do have come up with no virus detected.

We're hampered quite a bit because they took all the machines off the
network and so we have only dial-up modem ability, and thus, can't remotely
get them on the Internet to do an online virus scan. And installing a full
AV package over the modem would be painful

So, I'm hoping to identify what we're dealing with, clean it up, and then
get them running anti-virus after that.

Any idea which worm/virus this might be? The obvious Google search of
"realteks.exe" came up with nothing.



Posted by Dustin Cook on August 30, 2007, 5:37 pm
If you were  Registered and logged in, you could reply and use other advanced thread options

> A large customer of ours has a worm/virus running through their
> network. It seems to only be affecting their WinNT 4.0 machines which
> aren't running any anti-virus program. (Yeah, yeah, they know.)
> However, the Microsoft patches are up-to-date on the key ones, though
> MS stopped releasing WinNT patches long ago.
>
> The symptoms are:
> -- CMD.EXE is running at 100% CPU, slowing down the system
> immensely. -- There is only one CMD.EXE on the system and it is
> identical to the
> one on "clean" WinNT machines.
> -- There are multiple processes named "Realteks.exe" running.
> (There
> is no Realtek hardware in the systems.)
> -- The Registry key
> "HKLM\Software\Microsoft\Windows\CurrentVersion\Run"
> has the value "Windows Network Service" added and set to
> "Realteks.exe".
> -- However, a search of the hard drive finds no Realtek* files.
> -- A reboot seems to clear up the "infection", so it seems that it
> was
> running in memory only.
>
> Based on the Registry value, I suspect W32/Rbot-NT or W32/SDBOT.worm,
> but what virus scans we've been able to do have come up with no virus
> detected.
>
> We're hampered quite a bit because they took all the machines off the
> network and so we have only dial-up modem ability, and thus, can't
> remotely get them on the Internet to do an online virus scan. And
> installing a full AV package over the modem would be painful
>
> So, I'm hoping to identify what we're dealing with, clean it up, and
> then get them running anti-virus after that.
>
> Any idea which worm/virus this might be? The obvious Google search of
> "realteks.exe" came up with nothing.
>
>
>

If you boot the machine from a bart disk, and then go looking, you'll
probably find that executable. If you do this and would like to send it
to me for analysis, I'll be happy to do so and report my findings.


--
####################################################
Dustin Cook
Author of BugHunter - MalWare Removal Tool - v2.2c
Email: bughunter.dustin@gmail.com
Web..: http://bughunter.it-mate.co.uk
Pad..: http://bughunter.it-mate.co.uk/pad.xml
####################################################

Similar ThreadsPosted
identifying a virus (please help!!!) January 30, 2006, 4:49 pm
identifying a virus (please help!!!) January 30, 2006, 4:49 pm

The site map in XML format XML site map

Contact Us | Privacy Policy