W32/Deborm-Q
#1
Scooby Regular
Thread Starter
Join Date: Aug 2001
Location: wakefield
Posts: 2,082
Likes: 0
Received 0 Likes
on
0 Posts
we have had this virus & cleaned it since March.
It has made a re-appearance over the last few days & keeps returning to the same pc's. We have been hit quite a bit today!!
This is what it does:
W32/Deborm-Q is a network worm which carries and installs Trojans. When run, the worm searches for shares named C or C$ on the local IP subnet that have no password. If a share is found the worm will attempt to copy itself to one of the following folders in the shares:
windows\start menu\programs\startup
documents and settings\all users\start menu\programs\startup
winnt\profiles\all users\start menu\programs\startup
W32/Deborm-Q will also attempt to install the Trojans Troj/Litmus-203 and Troj/Sdbot-Fam.
Even after we have changed the local admin password it still runs
Is there a new variant of this out ??
any help appreciated.
cheers
shunty
It has made a re-appearance over the last few days & keeps returning to the same pc's. We have been hit quite a bit today!!
This is what it does:
W32/Deborm-Q is a network worm which carries and installs Trojans. When run, the worm searches for shares named C or C$ on the local IP subnet that have no password. If a share is found the worm will attempt to copy itself to one of the following folders in the shares:
windows\start menu\programs\startup
documents and settings\all users\start menu\programs\startup
winnt\profiles\all users\start menu\programs\startup
W32/Deborm-Q will also attempt to install the Trojans Troj/Litmus-203 and Troj/Sdbot-Fam.
Even after we have changed the local admin password it still runs
Is there a new variant of this out ??
any help appreciated.
cheers
shunty
#2
Scooby Regular
Thread Starter
Join Date: Aug 2001
Location: wakefield
Posts: 2,082
Likes: 0
Received 0 Likes
on
0 Posts
sorted it now anyway....
found out that it's not just admin accounts, but it takes the credentials of logeed on user & if they are in power uses locally, then it drops payload
what is annoying is that sophos site (who we use) don't state this but I checked McAfee (we used to use this at last place) gave a more indepth description.
I know it's been out since march as well.
cheers anyway.
shunty
found out that it's not just admin accounts, but it takes the credentials of logeed on user & if they are in power uses locally, then it drops payload
what is annoying is that sophos site (who we use) don't state this but I checked McAfee (we used to use this at last place) gave a more indepth description.
I know it's been out since march as well.
cheers anyway.
shunty
#6
Scooby Regular
Thread Starter
Join Date: Aug 2001
Location: wakefield
Posts: 2,082
Likes: 0
Received 0 Likes
on
0 Posts
hello Miles...
we still have had a few this morning, nearly 100 yesterday
not always dropping payload though for some reason ??
it's getting in through html link via e-mail....
a few of our senior management are allowed through mimesweep with an "allow all" type scenario, but we havn't purchased any web virus protection/scanning software.
shunty
we still have had a few this morning, nearly 100 yesterday
not always dropping payload though for some reason ??
it's getting in through html link via e-mail....
a few of our senior management are allowed through mimesweep with an "allow all" type scenario, but we havn't purchased any web virus protection/scanning software.
shunty