rc5 worm

[MooCow]

Would anyone know of an antivirus software that detects the worm? I've had to uninstall it (with dnet's dewormer ) twice from a local business's computers and while it's easy enough to get rid of I'd like to make sure it don't come back. I don't know what the deal is with it, but it kills the use of the network when it infects the system.

anywho here are the email addresses that were in the ini files
gentleps@muohio.edu
bymer@ukrpost.net

not sure if I should email them to inform them that their email addy is being used or not.

 

[Jator]

I had a friend who was a IT admin and he said the same thing, it kills the netowrk performance. Most of the worms have been discreditied by DNet, witha few exceptions. I'd let Dnet worry about the e-mail addy's, unless you recognize it as a TA e-mail. Then you might want to let that person know.

Jay

 

[IsOs]

Could you tell us how do you suppose it got in your machine in the first place. That information is valuable in preventing other infections.

 

[Engineer]

Norton AV description

Good Luck!

 

[MooCow]

The only way I see the machines could get infected would be through email. Since these aren't my machines I'm not entirely sure what goes on with them. I've told the people who use them what rc5 is and that it isn't really and evil thing. I let them know I suspect emails to be the problem. And I showed them who to use the wormfree program. But I'd really like to make it so they don't have to worry about it at all. It's only 2 systems networked together, don't even have a hub between them. Only a few people ever use them to.

Jator: thanks for letting me know that someone else has had similar problems. I know gentleps@muohio.edu is in the top 10 (5?) for daily rc5 and isn't doing so bad in ogr either so I don't know if that's the reason someone used their email or if that's the reason they're in such a high spot. If we ever get stats back I'll look and see where bymer@ukrpost.net stands in the rankings

Edit: thanks for the link engineer

 

[Moose]

We suspect they used gentleps@muohio.edu because itis my email address (which is available from my plan) as well as being at the top of the stats.

The major virus detection software packages detect the worm install. Every once in awhile one of them will include dnetc.exe in the detection and we correct them as quick as we can. We have been working very closely with them to stay ontop of the problem.

As far as the worms go they are spread via open c-shares not email. Our wormfree program will prompt you to shut down your c shares and will close them for you if you want. One thing is that it sometimes takes running the wormfree program more than once. The "helperapp" (wininit.exe and the like) does not shut down right away and cannot be deleted right away causing it to not be deleted. It takes some time for the 10 or so threads that it has running to be killed.

I hope that makes sense.

moose

 

[MooCow]

Ok now I can see why they'd use that email addy. Anywho I think I might be able to take care of it now that I've asked you guys Thanks Moose

 

[Adul]

The cleaner

 

[MWalkden]

You might consider loading Zone Alarm or like tool to disable the shares being exposed (the shares still exist, but Zone Alarm makes the PC appear as not being on line). I recommend you look at Steve Gibsons site and do the sheilds up testing (found at Sheilds Up). This will give you an idea of how this is comming into your system. If you require ports to be open you might want to run a seperate protocol for the LAN than you do for the Internet connection. What you do is bind file and print sharing to the LAN protocol and not to the Internet one.

I spent several hours reading anything I could find (actually spent most of my time searching for information) and didn't come up with much more than Engineer posted above. The worm simply looks for open shares on an IP, any IP, and tries to infect the system. Once it finds sucess on a LAN, it then explores the LAN with the rights assigned to the infected machine. This allows it to spread more easily.

The bad thing about this is the technique is easily duplicatable and the payload could be much worse. The obvious increase on the stats shows just how open networks are to infection.