From: Aron Roberts (aron@socrates.berkeley.edu)
Date: Tue Sep 09 2003 - 10:19:50 PDT
Hi Michael,
In the message "[Micronet] NEW VIRUS?", dated 2003-09-08, Michael Rimar wrote:
>A user (Win XP) has seen NAV intercept/quarantine a worm OPEN_ME.exe
>twice today (this am around 9 and at 2:30pm). This is a new one I
>hadn't yet heard about. It apparently achieved access through the
>guest account. I am the local tech support person but not a
>high-end techie: is this a new virus? should others be warned about
>vulnerabilities?
At least some reports note that a file with that name has been
associated with one or more members of a "spybot" family of worms
which, in Symantec's words, "spreads using KaZaA file-sharing and
mIRC. This worm can also spread to computers infected with common
Backdoor Trojan Horses."
Of course, the mere presence of a file named OPEN_ME.exe on a
user's system isn't in itself evidence of that worm or any other
particular malware, but the fact that NAV quarantined this file is
certainly suggestive.
You can find more detailed descriptions and removal instructions
for the "spybot" family of worms at:
Symantec Security Response: "W32.Spybot.Worm"
http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.worm.html
Trend Micro: "WORM_SPYBOT.GEN: Description and Solution"
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SPYBOT.GEN
Aron Roberts
Workstation Software Support Group
P.S. There are also two discussions on the computing.net site from
people who encountered difficulties cleaning this worm using the
instructions and/or tools provided on various anti-virus vendor
sites, including Symantec's and Trend Micro's. As always, your
mileage may vary:
http://www.computing.net/security/wwwboard/forum/5902.html
http://www.computing.net/security/wwwboard/forum/6243.html
If this worm is indeed present and you encounter difficulties
removing it from the user's system, or if you simply want someone
else to take a look at it, you might contact another support
organization, such as Campus Computer Repair and Support, (510)
643-6937, <mailto:caltec@socrates.berkeley.edu>,
<http://www-whsg.berkeley.edu/> in 50 University Hall. With some
infections, a reformat, reinstallation of the OS (with all applicable
patches applied), and restore of the user's files from backup may
potentially be warranted ... Best of luck!
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about MAGNet, its meetings and events, and its
mailing list, including information on subscribing and unsubscribing,
see the MAGNet Web site at <http://magnet.berkeley.edu/>.
This archive was generated by hypermail 2.1.5 : Tue Sep 09 2003 - 10:21:53 PDT