T
Taed Wynnell
A large customer of ours has a worm/virus running through their network. It
seems to only be affecting their WinNT 4.0 machines which aren't running any
anti-virus program. (Yeah, yeah, they know.) However, the Microsoft
patches are up-to-date on the key ones, though MS stopped releasing WinNT
patches long ago.
The symptoms are:
-- CMD.EXE is running at 100% CPU, slowing down the system immensely.
-- There is only one CMD.EXE on the system and it is identical to the
one on "clean" WinNT machines.
-- There are multiple processes named "Realteks.exe" running. (There
is no Realtek hardware in the systems.)
-- The Registry key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run"
has the value "Windows Network Service" added and set to "Realteks.exe".
-- However, a search of the hard drive finds no Realtek* files.
-- A reboot seems to clear up the "infection", so it seems that it was
running in memory only.
Based on the Registry value, I suspect W32/Rbot-NT or W32/SDBOT.worm, but
what virus scans we've been able to do have come up with no virus detected.
We're hampered quite a bit because they took all the machines off the
network and so we have only dial-up modem ability, and thus, can't remotely
get them on the Internet to do an online virus scan. And installing a full
AV package over the modem would be painful
So, I'm hoping to identify what we're dealing with, clean it up, and then
get them running anti-virus after that.
Any idea which worm/virus this might be? The obvious Google search of
"realteks.exe" came up with nothing.
seems to only be affecting their WinNT 4.0 machines which aren't running any
anti-virus program. (Yeah, yeah, they know.) However, the Microsoft
patches are up-to-date on the key ones, though MS stopped releasing WinNT
patches long ago.
The symptoms are:
-- CMD.EXE is running at 100% CPU, slowing down the system immensely.
-- There is only one CMD.EXE on the system and it is identical to the
one on "clean" WinNT machines.
-- There are multiple processes named "Realteks.exe" running. (There
is no Realtek hardware in the systems.)
-- The Registry key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run"
has the value "Windows Network Service" added and set to "Realteks.exe".
-- However, a search of the hard drive finds no Realtek* files.
-- A reboot seems to clear up the "infection", so it seems that it was
running in memory only.
Based on the Registry value, I suspect W32/Rbot-NT or W32/SDBOT.worm, but
what virus scans we've been able to do have come up with no virus detected.
We're hampered quite a bit because they took all the machines off the
network and so we have only dial-up modem ability, and thus, can't remotely
get them on the Internet to do an online virus scan. And installing a full
AV package over the modem would be painful
So, I'm hoping to identify what we're dealing with, clean it up, and then
get them running anti-virus after that.
Any idea which worm/virus this might be? The obvious Google search of
"realteks.exe" came up with nothing.