Worm Advisory: Bling.exe Updates32.exe SYSTESM32.EXE

Question

kc0arf 68 Posting Virtuoso

20 Years Ago

Hello,

At work, I am seeing three new variants of deviant behavior on our network. The machines are Windows 2000 and XP Pro, and they are patched to recent patch levels. Norton Antivirus does not detect these viruses, and the internet is really skimpy on details.

SYSTESM32.EXE
-- yes it is spelled correctly
-- found several times with regedit, but only in safe mode
-- prevents regedit and task manager from staying open
-- floods the network trying to re-infect (I did not sniff, no tech detail)
-- Had to use Procview from www.prcview.com to kill this in normal mode
-- was infected on Sept 28, so is new to us
-- Key name is Winsock, and the value is systesm32.exe
-- Was able to kill it off booting into safe mode, and scanning registry.

BLING.EXE and UPDATES32.EXE
-- both are worms found in regedit using the key name "psYko"
-- floods the network trying to re-infect (I did not sniff, so no tech detail)
-- UPDATES32.EXE "harder" to remove. Has survived a few reboots
-- need to boot to safe mode to remove from registry and kill off exe file
-- Read Microsoft KB 296405 and 246261.
-- We are testing RestrictAnonymous at level 2
-- Usually 3 to 4 instances of files in the registry.
-- Can be seen in Computer Management, under shared folder sessions. Look for the head without a username... that is an anonymous connection.

If others have any other information to add, please post.

Christian

windows-virus

2 Contributors
2 Replies
221 Views
5 Days Discussion Span
Latest Post 20 Years Ago Latest Post by Gothmog

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

kc0arf 68 Posting Virtuoso Team Colleague · Answer 1 · 2004-10-04T21:14:12+00:00

Update 10/3:

Starting to see the bling.exe registry value assigned to a new key name: Microsofts Updates.

It is possible to have two instances of Bling running... one of them under the psyko key, and the other on Microsofts Updates.

To kill it off, we have been going to safe mode, and killing the file's listings in the registry. We are also changing the RestrictAnonymous value from 0 to 2.

So far, we have not seen a re-infection when the value = 2.

Christian

Gothmog 0 Newbie Poster · Answer 2 · 2004-10-06T02:58:14+00:00

Yeah, I've been running into the 'updates32.exe' too on my network too.

This is the 1st post I've run across that references it, I'm glad I found it, kc0arf, I was beginning to think it was my imagination.

It's giving me fits. Haven't been able to successfully clean it off of any of the systems, I've been using 'HijackThis' and a few other tools, but I can't seem to kill it.

I'm going to give that 'RestrictAnonymous=2' thing a try now.

Any other info would be greatly appreciated.