Gandalf The White (infected)
Gandalf (the white) was set up two weeks ago without anti-virus protection. So a worm (or two) moved in and started routing pirated files. This morning it started being so "loud" on the network it ground everything else to a halt.
I had to go make a personal call to perform surgery. Norton Anti-Virus found the following:
C:\WINNT\MSsrvs32.exe is infected with W32.Randex.gen C:\WINNT\system32\MSsrvs32.exe is infected with W32.Randex.gen C:\WINNT\system32\webchecks.dll is infected with W32.IRCBot C:\WINNT\system32\dhcp\csrss.exe is infected with W32.IRCBot C:\Documents and Settings\DoNotUse\payload.dat is infected with W32.Randex.gen C:\Documents and Settings\Default User\Templates\winspsv.exe is infected with W32.Spybot.Worm C:\Documents and Settings\Administrator\payload.dat is infected with W32.Randex.gen
I had to manually delete MSsrvs32.exe and webchecks.dll using a command line because Norton and Windows were "denied access."
Comments
Removed two register entries that wanted to run MSsrv32.exe per Symantec's step 5.
Posted by: Jeb | November 28, 2004 10:15 AM
what is gandalf (the white)?
Posted by: Eric | November 28, 2004 11:54 AM