donoreo Premium Member join:2002-05-30 North York, ON |
donoreo
Premium Member
2005-Aug-16 3:19 pm
Virus that shuts down Windows 2000 in 1 min...But not XP? A major Canadian telecommunications company has right now has over 800 people running 2000 that are given 1 minute after logging in before the reboot. I am talking to one person there and her virus definitions (Symantec) are dated Aug 10 (Aug 15 are current).
Ideas? |
|
Chip0 Premium Member join:2001-12-23 Connecticut 2 edits |
Chip0
Premium Member
2005-Aug-16 3:25 pm
Maybe the Sasser worm(or a variation). » www.pchell.com/virus/sas ··· er.shtml |
|
jbobReach Out and Touch Someone Premium Member join:2004-04-26 Little Rock, AR ·Comcast XFINITY Asus GT-AX6000 Asus RT-AC66U B1
1 edit |
to donoreo
Or the MSBlaster Worm. » www.pchell.com/virus/msb ··· st.shtmlI believe Symantec has removal tools for each of these posted. Not sure why their updated systems are affected though. Could it be a new infection? |
|
donoreo Premium Member join:2002-05-30 North York, ON |
donoreo
Premium Member
2005-Aug-16 3:28 pm
Those two were all I could come up with, but the virus software is fairly up to date. I cannot confirm how upto date Windows is. |
|
|
Fox135 join:2005-06-23 Brampton, ON 2 edits |
Fox135
Member
2005-Aug-16 3:31 pm
isn't there a command that will stop it from shutting down so you can fix it?
shutdown -f or something like that...I can't remember the switch...anyone?
Edit: I think it might be -a (abort system shutdown) |
|
tempnexus Premium Member join:1999-08-11 Boston, MA |
to donoreo
Go to Command type in shutdown /a or shutdown -a |
|
jbobReach Out and Touch Someone Premium Member join:2004-04-26 Little Rock, AR |
to donoreo
This is interesteing from Symantec:
Blaster Payload: If the date is the 16th of the month until the end of that month if it's before August, and every day from August 16 until December 31.
Hmm todays date! |
|
donoreo Premium Member join:2002-05-30 North York, ON |
donoreo
Premium Member
2005-Aug-16 3:48 pm
The message is that it is C:\WINNT\System32\services.exe that is is shutdown. Also, shutdown -a does not halt the shutdown in this case. Is this something new? |
|
DaveDudeNo Fear join:1999-09-01 New Jersey |
to donoreo
Did you try safe mode, and then run a virus scan, or possibly unplug it from the network, and see if it still behaves that way ? |
|
slashmanDon't do it . .. Premium Member join:2003-10-01 Batavia, IL |
to donoreo
Could be a variant of the zotob virus. Effects win 2000, not XP. I have it on good authority that Disney's servers and pcs have been infected and their IT staff have been working feverishly for several hours to clear the infection. |
|
donoreo Premium Member join:2002-05-30 North York, ON |
to DaveDude
said by DaveDude:Did you try safe mode, and then run a virus scan, or possibly unplug it from the network, and see if it still behaves that way ? No, I do not work there. If they want to hire me, they can A friend told me about it. |
|
jbobReach Out and Touch Someone Premium Member join:2004-04-26 Little Rock, AR |
to slashman
According to what I am reading it (Zotob) can infect XP as well. |
|
Bane75 join:2002-09-20 Parker, CO |
Bane75
Member
2005-Aug-16 5:23 pm
It's Zotob. We have seen that exact behavior on our corporate network. |
|
|
to slashman
said by slashman:Could be a variant of the zotob virus. Effects win 2000, not XP. I have it on good authority that Disney's servers and pcs have been infected and their IT staff have been working feverishly for several hours to clear the infection. And if it IS zotob, Microsoft is remarkably casual about it: "It only affected Windows 2000," said Stephen Toulouse, a manager at Microsoft's Security Response Center. "So far its has shown a very limited impact -- we're not seeing any widespread impact to the Internet, but we remain vigilant."{/BQUOTE] » www.cnn.com/2005/TECH/in ··· dex.htmlThat should win Microsoft friends in the corporate world, which leans heavily toward Win2K ... Mr. Toulouse might want to sharpen up his resume. |
|
jbobReach Out and Touch Someone Premium Member join:2004-04-26 Little Rock, AR ·Comcast XFINITY Asus GT-AX6000 Asus RT-AC66U B1
|
to Bane75
I am wondering if this is Zotob(or new variant) or something else. I read nothing about the shutdown issues. Curious! » www.microsoft.com/securi ··· tob.mspx» www.f-secure.com/v-descs ··· _a.shtml» securityresponse.symante ··· b.a.html |
|
digiblur Premium Member join:2002-06-03 Louisiana |
to donoreo
Confirmed that also a mostly Win2k corporate network has been affected internationally.
Not trying to be rude or smart but I can't give out the company name so don't bother asking. Sorry.... |
|
|
dddane- to donoreo
Anon
2005-Aug-16 5:34 pm
to donoreo
virus may be spreading via port 8888 and 3333
thousands of machines here constantly rebooting... symantec is not catching it.
win2000 machines w/ worm/virus seem to be running wintbp.exe |
|
|
to donoreo
Cnn is just reporting from New York thier computers are shutting down. Most are Win2K. Sounds like their in a bit of a panic right now. |
|
BKayrac Premium Member join:2001-09-29 1 edit |
BKayrac
Premium Member
2005-Aug-16 5:42 pm
it's on cnn right now.......how pathetic that i am superior to cnn with computers :P
just listening to them talk, makes me feel dumber |
|
digiblur Premium Member join:2002-06-03 Louisiana |
to donoreo
You'll find lots of large corporations have not moved to XP yet. The cost is very large plus there aren't really an features gained when moving to XP in the corporate world.
All I can say is.. this is going to be big!!! |
|
BKayrac Premium Member join:2001-09-29 |
BKayrac
Premium Member
2005-Aug-16 5:47 pm
hasn't this already been patched tho?
as far as i can see, it's not a problem of moving to XP, as it is, either being updated, or simply blocking port 445 |
|
digiblur Premium Member join:2002-06-03 Louisiana |
digiblur
Premium Member
2005-Aug-16 5:49 pm
said by BKayrac:hasn't this already been patched tho? as far as i can see, it's not a problem of moving to XP, as it is, either being updated, or simply blocking port 445 It's been patched as of a week or so ago..but you'll find large corporations will have to run the patches that MS sends out through the testing process to make sure the patch does not break any of their software. Most large corp's do not use off the shelf software as they have their own in house software development teams. |
|
|
unofficialfromthem-- to BKayrac
Anon
2005-Aug-16 5:49 pm
to BKayrac
i work for said company... We have pushed the latest Symantec corp defs to our whole network several times daily this week due to so many worm variants.
More interesting than anything, however, is every machine we've examined so far seems to have the latest microsoft patches installed...
its not that anyone is in a panic, its just news... we've confirmed that there are thousands and thousands of PC's w/ it. at lots of different companies. |
|
BKayrac Premium Member join:2001-09-29 1 edit |
to digiblur
"if your running windows 2000 shut your computer down, and don't touch it till you hear more".....is CNN's response.........what about UPDATE YOUR SYSTEM........or......BLOCK PORT 445
why do idiots talk about those which they do not understand?
if you work for cnn, you guys use 445 for anything? :P |
|
digiblur Premium Member join:2002-06-03 Louisiana |
to donoreo
|
|
slashmanDon't do it . .. Premium Member join:2003-10-01 Batavia, IL |
to BKayrac
Quickly shut down before your computer explodes!:p In the meantime please watch more television. |
|
MaxoYour tax dollars at work. Premium Member join:2002-11-04 Tallahassee, FL |
Maxo
Premium Member
2005-Aug-16 6:02 pm
said by slashman:Quickly shut down before your computer explodes!:p In the meantime please watch more television. Yep, CNN just said that shutting down the computer right now and not using the computer for right now is probably a good idea. They were saying they think it is worm_rbot.cbq I'll be leaving my computer on. |
|
digiblur Premium Member join:2002-06-03 Louisiana |
to donoreo
Looks like it's a new worm. I saw the hit around 3:30 central time.
It crashes the services.exe and reboots the computer in one minute. After the reboot things were fine and the user was able to login. Some are saying they keep getting rebooted though. |
|
|
blocking445 to BKayrac
Anon
2005-Aug-16 6:03 pm
to BKayrac
kayrac its more than just that port as far as we can tell.. certain ports were blocked within minutes. but yes, blocking 445 was brought up.. and it was determined that wasn't an option right now because it was used by something
(it should be noted that in our enterprise, the 2000 machines are in minority... other companies--such as UPS--aren't as lucky right now) |
|
|
to slashman
Re:was just on our news,but our local news says it effected ABC,CNN,WALT DISNEY, ect, but it seems like all those companies would be using winxp, not a program that was 5 yrs old,just a comment,"Jazzy" |
|