new virus? bebmekht.exe

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I've sasser worm like problems and now zone alarm antivirus+firewall has
solved the problem.

I was getting errors like svchost.exe and lsass.exe has caused an error and
needs to be shut
down. my computer was grinding to a holt and I couldn't perform any
upgrades. My computer
was working fine until about 2 days ago when I connected to the internet and
started to have
the above probems.

now Zone alarm firewall and antivirus has blocked one program called
bebmekht.exe
and the problems have gone away and I'm now able to workwith and upgrade my
computer. I haven't see anything on the internet about
bebmekht.exe mayby it's a new one.

a virus scan turned up no results.



Re: new virus? bebmekht.exe


Quoted text here. Click to load it

Upload the file for scanning here:
http://www.virustotal.com/en/indexx.html
and let us know the results.

Art
http://home.epix.net/~artnpeg

Re: new virus? bebmekht.exe

I tried to upload the file to http://www.virustotal.com/en/indexx.html and
hotmail said no
the file cannot be uploaded because the file contains a virus that cannot be
cleaned.


Quoted text here. Click to load it
and
and
my



Re: new virus? bebmekht.exe


| I've sasser worm like problems and now zone alarm antivirus+firewall has
| solved the problem.
|
| I was getting errors like svchost.exe and lsass.exe has caused an error and
| needs to be shut
| down. my computer was grinding to a holt and I couldn't perform any
| upgrades. My computer
| was working fine until about 2 days ago when I connected to the internet and
| started to have
| the above probems.
|
| now Zone alarm firewall and antivirus has blocked one program called
| bebmekht.exe
| and the problems have gone away and I'm now able to workwith and upgrade my
| computer. I haven't see anything on the internet about
| bebmekht.exe mayby it's a new one.
|
| a virus scan turned up no results.
|

If it was Sasser like then it would be an Internet worm using TCP port 445
attempting to
exploit a buffer overflow condition in the LSASS module of the OS.  Such an
attmpt will
generate the following 60 sec. shutdown message...

NT AUTHORITY\SYSTEM
'c:\windows\system32\lsass.exe' terminated unexpectedly with status code
-1073741819

    or

NT AUTHORITY\SYSTEM
'c:\winnt\system32\lsass.exe' terminated unexpectedly with status code
-1073741819

{ NOTE:  The above can be generated internally and NOT be I-worm generated as
well }

You say you have a FireWall.  If your FireWall was up and working correctly then
the
Internet worm could not try an exploit attempt through TCP port 445 as the
FireWall should
have blocked any such attempt.

You say "Zone alarm firewall and antivirus has blocked one program called
bebmekht.exe" and
the problem stopped.  Then the infector was laready IN the PC and not on the
Internet trying
to get through to your PC.

The question then is what is the OS and Service Pack level.

Microsoft's LSASS vulnerability patch.
WinXP KB835732
http://www.microsoft.com/downloads/details.aspx?FamilyId=3549EA9E-DA3F-43B9-A4F1-AF243B6168F3&displaylang=en

Win2K KB835732
http://www.microsoft.com/downloads/details.aspx?FamilyId=0692C27E-F63A-414C-B3EB-D2342FBB6C00&displaylang=en

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: new virus? bebmekht.exe

windows 2000 no upgrades or service packs(fresh install formated drive)
as soon as installed my pcmcia inet card I started having problems
like lsass.exe has caused an error

Quoted text here. Click to load it
and
and
my
attempting to
an attmpt will
Quoted text here. Click to load it
code -1073741819
Quoted text here. Click to load it
code -1073741819
Quoted text here. Click to load it
as well }
Quoted text here. Click to load it
correctly then the
Quoted text here. Click to load it
FireWall should
bebmekht.exe" and
Quoted text here. Click to load it
the Internet trying
Quoted text here. Click to load it
http://www.microsoft.com/downloads/details.aspx?FamilyId=3549EA9E-DA3F-43B9-
A4F1-AF243B6168F3&displaylang=en
Quoted text here. Click to load it
http://www.microsoft.com/downloads/details.aspx?FamilyId=0692C27E-F63A-414C-
B3EB-D2342FBB6C00&displaylang=en
Quoted text here. Click to load it



Re: new virus? bebmekht.exe


| windows 2000 no upgrades or service packs(fresh install formated drive)
| as soon as installed my pcmcia inet card I started having problems
| like lsass.exe has caused an error

The Sasser worm is pretty much dead.  However, the exploitation of the LSASS
buffer overflow
condition via TCP port 445 and the the exploitation of the RPC/RPCSS DCOM buffer
overflow
condition via TCP port 135 have been adapted and are used by numerour Internet
BOTs.  SDBot,
AGOBot, RBot, etc...

It only takes seconds to a couple of minutes for another infected computer to
send out the
neccessary packets to infect an unprotected computer.

Virus Guy is correct.  My haed was shaking upon reading your reply.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: new virus? bebmekht.exe

the fact still remains I have an infected computer and my only antivirus
option doesn't
seem to pick up the problem.
I don't think norten antivirus is available for win2k
at least I can surf


Quoted text here. Click to load it
LSASS buffer overflow
Quoted text here. Click to load it
buffer overflow
Internet BOTs.  SDBot,
Quoted text here. Click to load it
to send out the
Quoted text here. Click to load it



Re: new virus? bebmekht.exe

On this special day, mike Irvine wrote :

Quoted text here. Click to load it

(bangs head on keyboard)

Don't you understand? As long as you are online, the malware will send
out attacks on other computers, to infect them, too.

You are currently Typhoid Mary. Remove your machine from the net AT
ONCE, wipe it, install W2K AND get the service pack 6 upwards, install
that one WHILE STILL OFF LINE. Only then you can get back onto the net,
BUT NOT EARLIER.


Gabriele Neukam

Gabriele.Spamfighter.Neukam@t-online.de

--
Often those who most loudly proclaim their freedom to choose in some
fields are the most retentive about 'correcting' others' choices in
other fields.
(Brian Brunner in alt.games.diablo2)



Re: new virus? bebmekht.exe

On Wed, 28 Feb 2007 11:44:55 +0100, Gabriele Neukam

Quoted text here. Click to load it

Acrually, he's between a rock and a hard place since he shouldn't be
going on line at all with fresh install of W2K unless he first
purchases a external firewall/router. That's why I wrote my article
(see my web site) named CLOSING PORTS ON WINDOWS 2000. However,
noobs are incapable of following such instructions involving editing
the registry. He can't download utils to do it, or even a software
firewall since he shouldn't be on line even that long. So he's stuck
undless he purchases a hardware appliance to block unsolicited
incoming.

One not-so-good approach under the circumstances would be to
put off the wipe/reinstall long enough to download a free personal
firewall and copy the install file to CD. Then do the wipe/reinstall.
Before going on line, install the personal firewall. Then use MS
update to download/install sp4 plus the rollup plus all the hotfixes.
But obviously, it would be best to wipe/reinstall and don't go
on line to update Win 2K without the external fw/router appliance.
Either that or get help from the comouter whiz kid next door to
do the internet port closing as in my article.

Art
http://home.epix.net/~artnpeg

Re: new virus? bebmekht.exe

I guess I should also add that Zonealarm is blocking a lot
as well as bebmekht.exe


Quoted text here. Click to load it
and
and
my



Site Timeline