| news.microsoft.com 2004-06-26, 10:16 am |
| There is currently a thread on "microsoft.public.inetserver.iis.security"
entitled "Russian IIS hack? Malicious Javascript code".
Curiosuty got the best of me. After clicking on the php urls in that
posting earlier today, my wmplayer.exe was also replaced with a worm.
The javascript code uses ado to copy a file from within a modal dialog
window.
If I delete the c":\program files\windows media player" directory completey,
the worm keeps bringing it back along with a handful of files, including
wmplayer.exe.
It's currently confined to my laptop (at work) which is turned off and
disconnected from the network.
I'll give these steps a try in the morning, but I wanted to identify the
link between these two postings ASAP.
Mike Olund
"George Hester" <hesterloli@hotmail.com> wrote in message
news:%238lBFNiWEHA.3988@tk2msftngp13.phx.gbl...
Yesterday while surfing I noticed my modem clicking. I don't use the modem
for Internet connection I only use it for FAX service. Anyway I knew
something was wrong. In the Task Manager Windows 2000 this file was
running:
dale.exe
This file has no Version tab in properties and thus is suspect. It is 27KB
about the size of the NETSKY virus and variants. It has an accompanying dll
called 2.01.00.dll. The name is not important here. It is a
self-registering dll so yiou can remove its information from the registry
using this command in command prompt in the folder where it resides
(%SYSTEMROOT%\system32\services)
regsvr32 /u 2.01.00.dll <ENTER> | OK <OK>
That should be the very first step. Once that is done you can End the
Process of dale.exe in the Task Manager. But there is still a long way to
go before you've cleaned out this coolwebsearch hijack.
Next get Merlin's CWShredder. That will fix the Windows Media Player 9
whose executable is replaced by this worm. Also the other files in the
above services folder (which you should not have there) are:
crontab.ini
keywords.ini
sl.ini
titles.ini
wmplayer.exe (the worm)
You will also find the above executable called in the Registry in these
keys:
HKCR\Software\Microsoft\Windows\CurrentV
ersion\Run
HKCU\Software\Microsoft\Windows\CurrentV
ersion\Run
(remove the call to the executable on right)
Also it infests win.ini. CWShredder will find that and take care of it.
Still not done.
At this point you have to make sure that your dllcache is replenished with
bona fide files. This is a smart worm and the developers have gone to great
lengths to make sure you overlook something. To replensish the dllcache you
insert your Windows 2000 (in my case) CD-ROM go to the command prompt and
type:
sfc /purgecache /scannow
The last switch is only necessary in Windows 2000 Professional.
Now you have a new dllcache and you should be able to fire up the other
Spyware catchers you have:
Adaware 6
BHODemon
HijackThis
Rebooting during this process when significant changes are made should get
everything back to normal. Oh I forgot. You also have to reinstall Windows
Media Player 9. If you are in XP I'm not sure what to do here...
And one last caveat. If you are using Windows 2000 SP3 then sfc will break
your system. You need to get qfecheck.exe and determine with that what
Hotfixes you need to reapply. Watch out for HTML Help breaking and you
might need to reinstall Windows Messaging if you use it.
HTM someone.
--
George Hester
__________________________________
|