Re: Virus that causes a lot of traffic ?

From: Paul fpvt2 (anonymous_at_discussions.microsoft.com)
Date: 11/30/04 

Date: Tue, 30 Nov 2004 06:32:14 -0800

Hi Dave,
Yesterday, our network administrator ran the Stinger and
Trend Housecall (albeit not in a safe mode) on our
Win2000 servers.

The following were the viruses that can not be cleaned.
Do you know the best way to clean these viruses ? Do we
need to reboot the machine in a safe mode, go to DOS
prompt, unhide the directory and files, and delete them ?

. Bkdr./bounce.a. It is in c:\winnt\system32
\config\services.exe. Housecall can not clean it.
. Troj SQLSpida.B. It is in c:\winnt\system32
\drivers\services.exe. This is a hidden file that was
only shown when when "Show all hidden files and
directories" in Windows explorer was selected. Housecall
can not clean it.
. HTML_Netsky.P. It is in c:\program
files\..\..\RYGJYXY0* Layer2 nonamefl*. In Windows
explorer, even after "Show all hidden files and
directories" was selected, you still can not see this
directory. Housecall can not clean it.
. IRC/Flood.ap Trojan at c:\winnt\system32
\OCXDLL.EXE\DLL32NT.HLP. Stinger can not clean this file.

The following were viruses that were successfully cleaned:
. Malware.pe_parite.a
. malware.worm_agobot-2
. W32/Sdbot.worm.gen.T
. W32/Sdbot.worm.gen.R

Do you think any of the malware that were found above
could cause the high bandwith traffic on the servers ?

Thanks again in advance.

>-----Original Message-----
>You will have to use Ethereal or some other packet
analysis tool and examine the traffic
>to/from the server to see what's going on. In the mean
time, I suggest performing the
>following...
>
>1) Download the following four items...
>
> McAfee Stinger
> http://vil.nai.com/vil/stinger/
>
> Trend Sysclean Package
> http://www.trendmicro.com/download/dcs.asp
>
> Latest Trend Pattern File.
> http://www.trendmicro.com/download/pattern.asp
>
> Adaware SE (free personal version v1.05)
> http://www.lavasoftusa.com/
>
>Create a directory.
>On drive "C:\"
>(e.g., "c:\New Folder")
>or the desktop
>(e.g., "C:\Documents and Settings\lipman\Desktop\New
Folder")
>
>Download Sysclean.com and place it in that directory.
>Download the Trend Pattern File by obtaining the ZIP
file.
>For example; lpt265.zip
>
>Extract the contents of the ZIP file and place the
contents in the same directory as
>sysclean.com.
>
>2) Update Adaware with the latest definitions.
>3) If you are using WinME or WinXP, disable System
Restore
>
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.ht
m
>4) Reboot your PC into Safe Mode
>5) Using Trend Sysclean, Stinger and Adaware,
perform a Full Scan of your
> platform and clean/delete any
infectors/parasites found.
> (a few cycles may be needed)
>6) Restart your PC and perform a "final" Full Scan
of your platform using the three
> utilities; Trend Sysclean, Stinger and Adaware
>7) If you are using WinME or WinXP, Re-enable System
Restore and re-apply any
> System Restore preferences, (e.g. HD space to
use suggested 400 ~ 600MB),
>8) Reboot your PC.
>9) If you are using WinME or WinXP, create a new
Restore point
>
>
>* * * Please report your results ! * * *
>
>Dave
>
>
>
>
>
>
>"Paul fpvt2" <anonymous@discussions.microsoft.com> wrote
in message
>news:0ac601c4d49b$07adda30$a501280a@phx.gbl...
>| Recently some of our servers received many traffic that
>| it caused the servers to go down. We have installed SP3
>| for SQL Server 2000, so I don't think it is related
with
>| the W32/SQLSlammer.worm. We also installed Symantec
>| antivirus software in all our servers. Is there any
other
>| viruses that would case a lot of traffic to your
machine ?
>|
>| Thank you.
>
>
>.
>

Relevant Pages

  • Re: Virus that causes a lot of traffic ?
    ... have to clean all the other machines on your network as they are likely also ... > Win2000 servers. ... > The following were the viruses that can not be cleaned. ...
    (microsoft.public.win2000.general)
  • RE: Should webservers, eg. IIS 6 have anti--virus installed on them?
    ... Perhaps the statement "viruses are only spread through user action" is ... clients and servers alike via IIS servers, ... eg. IIS 6 have anti--virus installed on ...
    (Focus-Microsoft)
  • Re: Virus that causes a lot of traffic ?
    ... trend Pattern Files and Sysclean.com -- Both were updated Today. ... | The following were the viruses that can not be cleaned. ... Housecall can not clean it. ... | could cause the high bandwith traffic on the servers? ...
    (microsoft.public.win2000.general)
  • Re: Old posts
    ... Trojans and Viruses can DO whatever they are programmed to ... Sosphisticated servers such as those used by Time Warner ... could not pass through their spam blocker. ... servers will not permit hotmail emails for instance, ...
    (soc.senior.issues)
  • Re: Viruses and hackers make Windows more secure - Gates
    ... >>or crash multiple systems. ... > Are you trying to say that computer worms are meant specifically to ... Did I say that was the definition and or intent of viruses and worms? ... ignoring that it was done by breeched Unix servers. ...
    (alt.computer.security)