we have had this virus & cleaned it since March.
It has made a re-appearance over the last few days & keeps returning to the same pc's. We have been hit quite a bit today!!

This is what it does:
W32/Deborm-Q is a network worm which carries and installs Trojans. When run, the worm searches for shares named C or C$ on the local IP subnet that have no password. If a share is found the worm will attempt to copy itself to one of the following folders in the shares:

windows\start menu\programs\startup
documents and settings\all users\start menu\programs\startup
winnt\profiles\all users\start menu\programs\startup

W32/Deborm-Q will also attempt to install the Trojans Troj/Litmus-203 and Troj/Sdbot-Fam.

Even after we have changed the local admin password it still runs:eek:
Is there a new variant of this out ??
any help appreciated.

cheers

shunty

sorted it now anyway....
found out that it's not just admin accounts, but it takes the credentials of logeed on user & if they are in power uses locally, then it drops payload:eek:

what is annoying is that sophos site (who we use) don't state this but I checked McAfee (we used to use this at last place) gave a more indepth description.

I know it's been out since march as well.

cheers anyway.

shunty

Give me a shout if you need a hand.

all sorted now Jack, but thanks for the offer.

shunty

That little critter is a royal PITA :(, it's been running around our network too recently.

hello Miles...
we still have had a few this morning, nearly 100 yesterday:eek:
not always dropping payload though for some reason ??

it's getting in through html link via e-mail....
a few of our senior management are allowed through mimesweep with an "allow all" type scenario, but we havn't purchased any web virus protection/scanning software.

shunty