dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
18238

donoreo
Premium Member
join:2002-05-30
North York, ON

donoreo

Premium Member

Virus that shuts down Windows 2000 in 1 min...

But not XP? A major Canadian telecommunications company has right now has over 800 people running 2000 that are given 1 minute after logging in before the reboot. I am talking to one person there and her virus definitions (Symantec) are dated Aug 10 (Aug 15 are current).

Ideas?

Chip0
Premium Member
join:2001-12-23
Connecticut

2 edits

Chip0

Premium Member

Maybe the Sasser worm(or a variation).
»www.pchell.com/virus/sas ··· er.shtml

jbob
Reach Out and Touch Someone
Premium Member
join:2004-04-26
Little Rock, AR
·Comcast XFINITY
Asus GT-AX6000
Asus RT-AC66U B1

1 edit

jbob to donoreo

Premium Member

to donoreo
Or the MSBlaster Worm.

»www.pchell.com/virus/msb ··· st.shtml

I believe Symantec has removal tools for each of these posted. Not sure why their updated systems are affected though. Could it be a new infection?

donoreo
Premium Member
join:2002-05-30
North York, ON

donoreo

Premium Member

Those two were all I could come up with, but the virus software is fairly up to date. I cannot confirm how upto date Windows is.
Fox135
join:2005-06-23
Brampton, ON

2 edits

Fox135

Member

isn't there a command that will stop it from shutting down so you can fix it?

shutdown -f or something like that...I can't remember the switch...anyone?

Edit: I think it might be -a (abort system shutdown)

tempnexus
Premium Member
join:1999-08-11
Boston, MA

tempnexus to donoreo

Premium Member

to donoreo
Go to Command
type in
shutdown /a or shutdown -a

jbob
Reach Out and Touch Someone
Premium Member
join:2004-04-26
Little Rock, AR

jbob to donoreo

Premium Member

to donoreo
This is interesteing from Symantec:

Blaster
Payload: If the date is the 16th of the month until the end of that month if it's before August, and every day from August 16 until December 31.

Hmm todays date!

donoreo
Premium Member
join:2002-05-30
North York, ON

donoreo

Premium Member

The message is that it is C:\WINNT\System32\services.exe that is is shutdown. Also, shutdown -a does not halt the shutdown in this case. Is this something new?

DaveDude
No Fear
join:1999-09-01
New Jersey

DaveDude to donoreo

Member

to donoreo
Did you try safe mode, and then run a virus scan, or possibly unplug it from the network, and see if it still behaves that way ?

slashman
Don't do it . ..
Premium Member
join:2003-10-01
Batavia, IL

slashman to donoreo

Premium Member

to donoreo
Could be a variant of the zotob virus. Effects win 2000, not XP. I have it on good authority that Disney's servers and pcs have been infected and their IT staff have been working feverishly for several hours to clear the infection.

donoreo
Premium Member
join:2002-05-30
North York, ON

donoreo to DaveDude

Premium Member

to DaveDude
said by DaveDude:

Did you try safe mode, and then run a virus scan, or possibly unplug it from the network, and see if it still behaves that way ?
No, I do not work there. If they want to hire me, they can A friend told me about it.

jbob
Reach Out and Touch Someone
Premium Member
join:2004-04-26
Little Rock, AR

jbob to slashman

Premium Member

to slashman
According to what I am reading it (Zotob) can infect XP as well.
Bane75
join:2002-09-20
Parker, CO

Bane75

Member

It's Zotob. We have seen that exact behavior on our corporate network.

goalieskates
Premium Member
join:2004-09-12
land of big

goalieskates to slashman

Premium Member

to slashman
said by slashman:

Could be a variant of the zotob virus. Effects win 2000, not XP. I have it on good authority that Disney's servers and pcs have been infected and their IT staff have been working feverishly for several hours to clear the infection.
And if it IS zotob, Microsoft is remarkably casual about it:
"It only affected Windows 2000," said Stephen Toulouse, a manager at Microsoft's Security Response Center. "So far its has shown a very limited impact -- we're not seeing any widespread impact to the Internet, but we remain vigilant."{/BQUOTE]

»www.cnn.com/2005/TECH/in ··· dex.html

That should win Microsoft friends in the corporate world, which leans heavily toward Win2K ... Mr. Toulouse might want to sharpen up his resume.

jbob
Reach Out and Touch Someone
Premium Member
join:2004-04-26
Little Rock, AR
·Comcast XFINITY
Asus GT-AX6000
Asus RT-AC66U B1

jbob to Bane75

Premium Member

to Bane75
I am wondering if this is Zotob(or new variant) or something else. I read nothing about the shutdown issues. Curious!

»www.microsoft.com/securi ··· tob.mspx

»www.f-secure.com/v-descs ··· _a.shtml

»securityresponse.symante ··· b.a.html

digiblur
Premium Member
join:2002-06-03
Louisiana

digiblur to donoreo

Premium Member

to donoreo
Confirmed that also a mostly Win2k corporate network has been affected internationally.

Not trying to be rude or smart but I can't give out the company name so don't bother asking. Sorry....

dddane-
@64.236.x.x

dddane- to donoreo

Anon

to donoreo
virus may be spreading via port 8888 and 3333

thousands of machines here constantly rebooting... symantec is not catching it.

win2000 machines w/ worm/virus seem to be running wintbp.exe

the_root
join:2001-10-09
Pittsburg, MO

the_root to donoreo

Member

to donoreo
Cnn is just reporting from New York thier computers are shutting down. Most are Win2K.
Sounds like their in a bit of a panic right now.

BKayrac
Premium Member
join:2001-09-29

1 edit

BKayrac

Premium Member

it's on cnn right now.......how pathetic that i am superior to cnn with computers :P

just listening to them talk, makes me feel dumber

digiblur
Premium Member
join:2002-06-03
Louisiana

digiblur to donoreo

Premium Member

to donoreo
You'll find lots of large corporations have not moved to XP yet. The cost is very large plus there aren't really an features gained when moving to XP in the corporate world.

All I can say is.. this is going to be big!!!

BKayrac
Premium Member
join:2001-09-29

BKayrac

Premium Member

hasn't this already been patched tho?

as far as i can see, it's not a problem of moving to XP, as it is, either being updated, or simply blocking port 445

digiblur
Premium Member
join:2002-06-03
Louisiana

digiblur

Premium Member

said by BKayrac:

hasn't this already been patched tho?

as far as i can see, it's not a problem of moving to XP, as it is, either being updated, or simply blocking port 445
It's been patched as of a week or so ago..but you'll find large corporations will have to run the patches that MS sends out through the testing process to make sure the patch does not break any of their software. Most large corp's do not use off the shelf software as they have their own in house software development teams.

unofficialfromthem-- to BKayrac

Anon

to BKayrac
i work for said company... We have pushed the latest Symantec corp defs to our whole network several times daily this week due to so many worm variants.

More interesting than anything, however, is every machine we've examined so far seems to have the latest microsoft patches installed...

its not that anyone is in a panic, its just news... we've confirmed that there are thousands and thousands of PC's w/ it. at lots of different companies.

BKayrac
Premium Member
join:2001-09-29

1 edit

BKayrac to digiblur

Premium Member

to digiblur
"if your running windows 2000 shut your computer down, and don't touch it till you hear more".....is CNN's response.........what about UPDATE YOUR SYSTEM........or......BLOCK PORT 445

why do idiots talk about those which they do not understand?

if you work for cnn, you guys use 445 for anything? :P

digiblur
Premium Member
join:2002-06-03
Louisiana

digiblur to donoreo

Premium Member

to donoreo
»securityresponse.symante ··· b.d.html

slashman
Don't do it . ..
Premium Member
join:2003-10-01
Batavia, IL

slashman to BKayrac

Premium Member

to BKayrac
Quickly shut down before your computer explodes!:p
In the meantime please watch more television.

Maxo
Your tax dollars at work.
Premium Member
join:2002-11-04
Tallahassee, FL

Maxo

Premium Member

said by slashman:

Quickly shut down before your computer explodes!:p
In the meantime please watch more television.
Yep, CNN just said that shutting down the computer right now and not using the computer for right now is probably a good idea. They were saying they think it is worm_rbot.cbq I'll be leaving my computer on.

digiblur
Premium Member
join:2002-06-03
Louisiana

digiblur to donoreo

Premium Member

to donoreo
Looks like it's a new worm. I saw the hit around 3:30 central time.

It crashes the services.exe and reboots the computer in one minute. After the reboot things were fine and the user was able to login. Some are saying they keep getting rebooted though.

blocking445
@64.236.x.x

blocking445 to BKayrac

Anon

to BKayrac
kayrac its more than just that port as far as we can tell.. certain ports were blocked within minutes. but yes, blocking 445 was brought up.. and it was determined that wasn't an option right now because it was used by something

(it should be noted that in our enterprise, the 2000 machines are in minority... other companies--such as UPS--aren't as lucky right now)
whocares0
Premium Member
join:2003-07-26
..

whocares0 to slashman

Premium Member

to slashman

Re:was just on our news,

but our local news says it effected ABC,CNN,WALT DISNEY, ect,
but it seems like all those companies would be using winxp, not a program that was 5 yrs old,just a comment,"Jazzy"