[TCLUG] OT Virus help!!

Tue Jul 6 15:53:04 CDT 2004

As for the google search, if you read the page, that is not the file 
that is infected.  The files that are listed are the processes that it 
is trying to kill.  As for the scanner, ethereal is being evil so I have 
not made much luck their.  I have the latest version of stinger and that 
does not find it.  It does add at least two registry entries that are 
easy to find.  But with out knowing how it gets in i can not block it. 
I did a strings on it and it looks like its using irc to communicate.  I 
found a dcc command in their but I have not been able to find out the 
server name yet.  More new to follow.  As for the file, I will try to 
get it up on my web server in a passworded zip file.  As soon as it is 
done I will let you know.  If some one wants the strings output I can 
put that up their as well.

Jason

sk3tch at sk3tch.net wrote:
> And another thing..sometimes a simple Google search goes a long
> way...lol.
> 
> http://www.google.com/search?hl=en&ie=UTF-8&q=nortonav.exe&btnG=Google+S
> earch
> 
> PLENTY of info there.  Geez.
> 
> 
> -----Original Message-----
> From: tclug-list-bounces at mn-linux.org on behalf of Jason Sievert
> Sent: Tue 7/6/2004 3:01 PM
> To: TCLUG Mailing List
> Subject: [TCLUG] OT Virus help!!
>  
> Hey guys, my company is getting blasted with a virus that I can find 
> nothing about.  None of our latests virus scanners can seem to find it. 
>   It looks to be a single file, nortonav.exe, that is run at startup via
> 
> the registry in windows.  It is choking our network to the point that 
> nothing can be done at this point.  The hardest hit seem to be windows 
> 2000.  All of the computers do have the latest patches as of today.  It 
> does show up under the task manager as nortonav.exe.  I am still trying 
> to figure out how it gets in and what the traffic looks like.  Has 
> anybody seen anything like this???
> 
> _______________________________________________
> TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
> Help beta test TCLUG's potential new home: http://plone.mn-linux.org
> Got pictures for TCLUG? Beta test http://plone.mn-linux.org/gallery
> tclug-list at mn-linux.org
> https://mailman.real-time.com/mailman/listinfo/tclug-list
> 
> 
> 
> _______________________________________________
> TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
> Help beta test TCLUG's potential new home: http://plone.mn-linux.org
> Got pictures for TCLUG? Beta test http://plone.mn-linux.org/gallery
> tclug-list at mn-linux.org
> https://mailman.real-time.com/mailman/listinfo/tclug-list

_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
Help beta test TCLUG's potential new home: http://plone.mn-linux.org
Got pictures for TCLUG? Beta test http://plone.mn-linux.org/gallery
tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list