w32 worm

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
A client has a worm which gives a warning message about 'NT authority
system' and then closes the computer.
I have downloaded the Symantic program   fixblast.exe  which claims to erase
this worm but it has not found it.
Can anyone throw any light on this and help please?

--
Quilly


Re: w32 worm

I should add the OS is WinXp SP2 and the anti virus used is Avira.

--
Quilly


Re: w32 worm

Quoted text here. Click to load it

Are you saying that Avira declares it a worm? Which worm? To the best of
my knowledge the symptoms indicate a crash caused by a failed exploit of
DCOM-RPC (like that used by Blaster among others) and is not necessarily
a "worm" but an exploit attempt from (perhaps made by a worm) outside of
your machine.



Re: w32 worm

No Avira has not spotted it as far as I can tell. The definition I have
comes from Googling the error message about 'NT authority system'

--
Quilly
Bookstore

http://stores.lulu.com/quilljar
Quoted text here. Click to load it


Re: w32 worm


| No Avira has not spotted it as far as I can tell. The definition I have
| comes from Googling the error message about 'NT authority system'

| --
| Quilly
| Bookstore

Premature or possibly faux conclusion.  There are many "NT AUTHORITY/SYSTEM
shutdown in 60
sec." type messages

What is the EXACT text of the NT AUTHORITY/SYSTEM shutdown in 60 sec message
text ?

Example:
"Windows must now restart because the Remote Procedure Call (RPC) service
terminated
unexpectly"



--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: w32 worm

Thanks for your reply David.
The problem is on someone else's machine and I cannot easily get the exact
message at this time of night. If I may come back to you I wd be grateful.

--
Quilly


Re: w32 worm


| No Avira has not spotted it as far as I can tell. The definition I have
| comes from Googling the error message about 'NT authority system'

| --
| Quilly
| Bookstore

See my post with the same named subject in;
alt.comp.virus.binaries



--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: w32 worm

I am pretty sure that the relevant message was the second pic about   'RPC
service terminated unexpectedly'

I seem to have eliminated the problem but I am not sure which scan did
it...!

Possibly upgrading from SP2 to SP3 helped?
--
Quilly


Re: w32 worm


| I am pretty sure that the relevant message was the second pic about   'RPC
| service terminated unexpectedly'

| I seem to have eliminated the problem but I am not sure which scan did
| it...!

| Possibly upgrading from SP2 to SP3 helped?
| --
| Quilly


They were two examples of two distinnt shutdown messages generated by different
worms.

Both are generated when an Internet worm (or many BOTs) use specific exploit
codes via TCP
ports 135 (RPC/RPCSS) and 445 (LSASS) to cause a buffer overflow and elevation
of
priveleges condition.  A vulnerable PC simply being behind a NAT Router, NAT
Router with a
FireWall or a FireWall appliance would have mititigated these type of threats.
Being at
WinXP SP2 level would have already fixed both.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp



Re: w32 worm

Quoted text here. Click to load it

Feel the sting of the Google sword's other edge.

Many follow false conclusions and use remedies posted for another user
with an entirely different problem in an attempt to fix *their* problem.
This often leads to worse problems than originally existed. It is good
that you came here instead.



Site Timeline