New virus with a process named "Netlink32.exe"

New virus with a process named "Netlink32.exe": Posted by DickW on April 6th, 2004; Hello,

I have installed Norton with the latest virus definitions. But it
still didn't find the virus. And the windows has already installed the
latest service pack. Here's the symptoms:

1, It will running a process called "netlink32.exe" when window 2000
boots up, which the patch is "c:\winnt\system32\netlink32.exe". Also,
it will add a key to the following registry named "netlink"

"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curr entVersion\Run"
"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curr entVersion\RunService"

2, When the system boots up, it will scan the network via the port
135.

Does this sound like anything anyone has heard of and does anyone know
how I can stop it from replicating itself after every reboot?

Thanks so much in advance,

Dick.; Posted by kurt wismer on April 6th, 2004; DickW wrote:

can't name it from the symptoms but it definitely sounds like a network
share enumerating worm... if your av doesn't detect it send a sample to
your anti-virus developer for analysis...

--
"we're the first ones to starve, we're the first ones to die
the first ones in line for that pie in the sky
and we're always the last when the cream is shared out
for the worker is working when the fat cat's about"; Posted by fugates on April 6th, 2004; When my organization first encountered the polybot.l!hosts virus, we
found regsvc32.exe files in the exact locations you mention below.
McAfee AV scan did not pick up this file, even though it would detect
the w32/Polybotl!hosts worm and clean the infected file. Days later
McAfee came out with updated definition files that detected and
removed the regsvc32 files and we were fine. Now in the last days
we've found several different file names that have the same affect of
freezing Windows. The files are all found in similar locations.

The new file names we've found are:
Windows Login-->winlog.exe
Net Link--> netlink.exe
Compatibility Service Process-->regsvs.exe

Example of file locations:
c:\WINNT-->netlink32.exe
c:\WINNT\system32-->netlink32.exe

Registry--it will add a key called netlink to the following locations:
"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curr entVersion\Run"
"HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curr entVersion\RunService"

We've had to disconnect computers from network and reboot in safe mode
so that the process would not start; then delete all registry keys and
files; then reboot with network connection.

Jeremy

dickwai@magicaldesk.com (DickW) wrote in message news:<4bd2f316.0404060207.31d093c1@posting.google. com>...; Posted by Skeek on April 6th, 2004; We have the same new backdoor trojan attacking through open network
shares on our LAN. Symantec is no help at all and won't even accept
my example file of netlink32.exe that I tried to send to them using
their SARC submittal system.

All you can do at this point is to disconnect the network cable or
block 135 with a firewall, remove the entries from the registry,
reboot, then remove netlink32.exe from your System32 directory. Also
check your services to make sure the service is not still trying to
run. I found it frequently creates its own service name such as mmcgy
or some such thing - check all running services to see if any were
pointed at the netlink32.exe file and disable those. You may not find
any.

Our computers were mostly updated also, so it appears the trojan gets
in through either a new Windows weakness or more likely through poorly
protected computers on a network.; Posted by James E. Taylor on April 6th, 2004; We saw this crop up late yesterday and into this morning. I was able
to get an EXTRA.DAT from McAfee to detect and delete it. The response
I got indicated it was w32/gaobot.worm.gen.g, or at least it was
detected with that signature.

I'd suggest you send a message to Symantec and see if they can get a
signature for you.

Other than stopping the netlink32 process and deleting the files you
mentioned, I don't know what else to suggest.

-James

dickwai@magicaldesk.com (DickW) wrote in message news:<4bd2f316.0404060207.31d093c1@posting.google. com>...; Posted by fugates on April 7th, 2004; we have narrowed problem down to weak passwords. Updated AV is
crucial, but machines on our network that were updated with most
recent McAfee virus definitions still got infected. you can look in a
machine's security log in event viewer and see anonymous logon user
from an infected machine on your network logging onto your computer.
It then takes gets a list of all domain and local administrator
accounts on your machine and attempts to logon with each account using
a list of easy passwords until it logs on sucessfully. The machine is
then infected. We had machines with local admin accounts that were
either blank or had passwords such as "password". Once we changed
these passwords, the machines were not re-infected.

snowflaker@lycos.com (Skeek) wrote in message news:<7e11dd8d.0404061006.5444e62b@posting.google. com>...; Posted by Gabriele Neukam on April 7th, 2004; On that special day, Skeek, (snowflaker@lycos.com) said...

Maybe you are luckier here:

http://www.kaspersky.com/de/remoteviruschk.html

Did you apply

http://www.microsoft.com/technet/sec...n/MS00-072.asp

Gabriele Neukam

Gabriele.Spamfighter.Neukam@t-online.de

--
Ah, Information. A good, too valuable these days, to give it away, just
so, at no cost.; Posted by FromTheRafters on April 7th, 2004; "fugates" <jeremy_asbury@yahoo.com> wrote in message news:13ca4f64.0404070707.5182de37@posting.google.c om...
Updated AV is perhaps less crucial than secure passwords and
patched software vulnerabilities.; Posted by greg on April 7th, 2004; jeremy_asbury@yahoo.com (fugates) wrote in message news:<13ca4f64.0404060707.347e4ddb@posting.google. com>...

I've just had a system today with "compatability service process" as
the service name, but the exe is called regsvc32.exe. Mcafee vscan
4.5.1sp1 does not detect it, vscan 7 does not detect it and sophos
does not detect it. When the process is run, netstat showed hundreds
of ports being opened and to other systems on our network. The system
was so slow as to be unusable.

agobot variant. These systems are fully patched, we use e-eye retina
scan, and updateexpert to automate service packs, lock down on the
win2k/xp systems + strong admin passwords that lc4 can get no where
near. msbaseline scanner verifies that the system has the current
patch revisions.

One other strange one that someone may be able to help with, on
another system there is a directory in winnt\system32 called msdlib.
There is an exe called winwmi.exe mcafee identified it as
hackerdefender and the machine has a service called "RCP SHELL"
running this at startup. looks like a backdoor over irc. Any one else
seen this one??? (of course the system is now off the network)
googling turns up nothing of interest on msdlib or winwmi, also the AV
vendors have nothing listed either. I'm thinking this one was
compromised first and then the agobot one follwed??

Thanks
Greg; Posted by null@zilch.com on April 7th, 2004; On 7 Apr 2004 13:15:35 -0700, Goo@tuxiecomputing.com (greg) wrote:

Try running Spybot. Here's some info:

http://www.kephyr.com/spywarescanner...32/index.phtml

Art
http://www.epix.net/~artnpeg

Similar Posts

Fresh install no "Administrator" named account (Microsoft Windows) by Chris
Cannot Create a directory named "sys" (Help and Support) by Charlie
A virus named as "GAME" (Security & Administration) by Nadeem
Help understanding HTML "Named Anchor" (Computers & Technology) by Jeff Wisnia
".exe" files named as ".zip" - what happens upon opening them? (Virus & Worms) by Markus Zingg