New Virus or Something

We have had 3 separate Windows 2000 servers running IIS come down with
something. This started about 2 weeks ago and it has the following
symptoms.

The server is very slow to login to. Once up, if you go to the Event Viewer
you can see entries but cannot go into an entry to view the details of it.
When you go to Manage the computer, IIS is completely gone from the
Management MMC. If you go to Add and Remove Programs it looks all funky
like C&lose for the button and the title script is all jammed together and
nothing shows up. All websites are down. We have had to rebuild 3 servers
because we could not figure out what was going on. We are running Trend's
Office Scan Antivirus on the boxes and most all patches are applied. Any
Ideas?


Thanks,
Fred

Re: New Virus or Something

Has anyone seen a root kit using the following files?
Zzgdqzow.dll Zzgdqzow.exe Zzgdqzow.drv Zzgdqzow.ime Zzgdqzow.sys
Zzgdqzow.tmp

My server has these files. Help!!!






"Fred Yarbrough" wrote in message
news:uBFOqhiYGHA.4248@TK2MSFTNGP05.phx.gbl...
> We have had 3 separate Windows 2000 servers running IIS come down with
> something. This started about 2 weeks ago and it has the following
> symptoms.
>
> The server is very slow to login to. Once up, if you go to the Event
Viewer
> you can see entries but cannot go into an entry to view the details of it.
> When you go to Manage the computer, IIS is completely gone from the
> Management MMC. If you go to Add and Remove Programs it looks all funky
> like C&lose for the button and the title script is all jammed together and
> nothing shows up. All websites are down. We have had to rebuild 3
servers
> because we could not figure out what was going on. We are running Trend's
> Office Scan Antivirus on the boxes and most all patches are applied. Any
> Ideas?
>
>
> Thanks,
> Fred
>
>

Re: New Virus or Something

Has anyone seen a root kit using the following files?
Zzgdqzow.dll Zzgdqzow.exe Zzgdqzow.drv Zzgdqzow.ime Zzgdqzow.sys
Zzgdqzow.tmp

My server has these files. Help!!!






"Fred Yarbrough" wrote in message
news:uBFOqhiYGHA.4248@TK2MSFTNGP05.phx.gbl...
> We have had 3 separate Windows 2000 servers running IIS come down with
> something. This started about 2 weeks ago and it has the following
> symptoms.
>
> The server is very slow to login to. Once up, if you go to the Event
Viewer
> you can see entries but cannot go into an entry to view the details of it.
> When you go to Manage the computer, IIS is completely gone from the
> Management MMC. If you go to Add and Remove Programs it looks all funky
> like C&lose for the button and the title script is all jammed together and
> nothing shows up. All websites are down. We have had to rebuild 3
servers
> because we could not figure out what was going on. We are running Trend's
> Office Scan Antivirus on the boxes and most all patches are applied. Any
> Ideas?
>
>
> Thanks,
> Fred
>
>

Re: New Virus or Something

Hope you have back up...then reformat....


AS I said for many years, MS finally says the best way to rid of problems is
REFORMAT.



"Fred Yarbrough" wrote in message
news:uMG4ZcmYGHA.3624@TK2MSFTNGP02.phx.gbl...
> Has anyone seen a root kit using the following files?
> Zzgdqzow.dll Zzgdqzow.exe Zzgdqzow.drv Zzgdqzow.ime Zzgdqzow.sys
> Zzgdqzow.tmp
>
> My server has these files. Help!!!
>
>
>
>
>
>
> "Fred Yarbrough" wrote in message
> news:uBFOqhiYGHA.4248@TK2MSFTNGP05.phx.gbl...
>> We have had 3 separate Windows 2000 servers running IIS come down with
>> something. This started about 2 weeks ago and it has the following
>> symptoms.
>>
>> The server is very slow to login to. Once up, if you go to the Event
> Viewer
>> you can see entries but cannot go into an entry to view the details of
>> it.
>> When you go to Manage the computer, IIS is completely gone from the
>> Management MMC. If you go to Add and Remove Programs it looks all funky
>> like C&lose for the button and the title script is all jammed together
>> and
>> nothing shows up. All websites are down. We have had to rebuild 3
> servers
>> because we could not figure out what was going on. We are running
>> Trend's
>> Office Scan Antivirus on the boxes and most all patches are applied. Any
>> Ideas?
>>
>>
>> Thanks,
>> Fred
>>
>>
>
>

Re: New Virus or Something

Hope you have back up...then reformat....


AS I said for many years, MS finally says the best way to rid of problems is
REFORMAT.



"Fred Yarbrough" wrote in message
news:uMG4ZcmYGHA.3624@TK2MSFTNGP02.phx.gbl...
> Has anyone seen a root kit using the following files?
> Zzgdqzow.dll Zzgdqzow.exe Zzgdqzow.drv Zzgdqzow.ime Zzgdqzow.sys
> Zzgdqzow.tmp
>
> My server has these files. Help!!!
>
>
>
>
>
>
> "Fred Yarbrough" wrote in message
> news:uBFOqhiYGHA.4248@TK2MSFTNGP05.phx.gbl...
>> We have had 3 separate Windows 2000 servers running IIS come down with
>> something. This started about 2 weeks ago and it has the following
>> symptoms.
>>
>> The server is very slow to login to. Once up, if you go to the Event
> Viewer
>> you can see entries but cannot go into an entry to view the details of
>> it.
>> When you go to Manage the computer, IIS is completely gone from the
>> Management MMC. If you go to Add and Remove Programs it looks all funky
>> like C&lose for the button and the title script is all jammed together
>> and
>> nothing shows up. All websites are down. We have had to rebuild 3
> servers
>> because we could not figure out what was going on. We are running
>> Trend's
>> Office Scan Antivirus on the boxes and most all patches are applied. Any
>> Ideas?
>>
>>
>> Thanks,
>> Fred
>>
>>
>
>

Re: New Virus or Something

Yep, that is what we have done but the scary part is that I do not know how
it happened.

Thanks,
Fred


">>Smith<<" wrote in message
news:e34hRjnYGHA.4860@TK2MSFTNGP02.phx.gbl...
> Hope you have back up...then reformat....
>
>
> AS I said for many years, MS finally says the best way to rid of problems
is
> REFORMAT.
>
>
>
> "Fred Yarbrough" wrote in message
> news:uMG4ZcmYGHA.3624@TK2MSFTNGP02.phx.gbl...
> > Has anyone seen a root kit using the following files?
> > Zzgdqzow.dll Zzgdqzow.exe Zzgdqzow.drv Zzgdqzow.ime Zzgdqzow.sys
> > Zzgdqzow.tmp
> >
> > My server has these files. Help!!!
> >
> >
> >
> >
> >
> >
> > "Fred Yarbrough" wrote in message
> > news:uBFOqhiYGHA.4248@TK2MSFTNGP05.phx.gbl...
> >> We have had 3 separate Windows 2000 servers running IIS come down with
> >> something. This started about 2 weeks ago and it has the following
> >> symptoms.
> >>
> >> The server is very slow to login to. Once up, if you go to the Event
> > Viewer
> >> you can see entries but cannot go into an entry to view the details of
> >> it.
> >> When you go to Manage the computer, IIS is completely gone from the
> >> Management MMC. If you go to Add and Remove Programs it looks all
funky
> >> like C&lose for the button and the title script is all jammed together
> >> and
> >> nothing shows up. All websites are down. We have had to rebuild 3
> > servers
> >> because we could not figure out what was going on. We are running
> >> Trend's
> >> Office Scan Antivirus on the boxes and most all patches are applied.
Any
> >> Ideas?
> >>
> >>
> >> Thanks,
> >> Fred
> >>
> >>
> >
> >
>
>

Re: New Virus or Something

Yep, that is what we have done but the scary part is that I do not know how
it happened.

Thanks,
Fred


">>Smith<<" wrote in message
news:e34hRjnYGHA.4860@TK2MSFTNGP02.phx.gbl...
> Hope you have back up...then reformat....
>
>
> AS I said for many years, MS finally says the best way to rid of problems
is
> REFORMAT.
>
>
>
> "Fred Yarbrough" wrote in message
> news:uMG4ZcmYGHA.3624@TK2MSFTNGP02.phx.gbl...
> > Has anyone seen a root kit using the following files?
> > Zzgdqzow.dll Zzgdqzow.exe Zzgdqzow.drv Zzgdqzow.ime Zzgdqzow.sys
> > Zzgdqzow.tmp
> >
> > My server has these files. Help!!!
> >
> >
> >
> >
> >
> >
> > "Fred Yarbrough" wrote in message
> > news:uBFOqhiYGHA.4248@TK2MSFTNGP05.phx.gbl...
> >> We have had 3 separate Windows 2000 servers running IIS come down with
> >> something. This started about 2 weeks ago and it has the following
> >> symptoms.
> >>
> >> The server is very slow to login to. Once up, if you go to the Event
> > Viewer
> >> you can see entries but cannot go into an entry to view the details of
> >> it.
> >> When you go to Manage the computer, IIS is completely gone from the
> >> Management MMC. If you go to Add and Remove Programs it looks all
funky
> >> like C&lose for the button and the title script is all jammed together
> >> and
> >> nothing shows up. All websites are down. We have had to rebuild 3
> > servers
> >> because we could not figure out what was going on. We are running
> >> Trend's
> >> Office Scan Antivirus on the boxes and most all patches are applied.
Any
> >> Ideas?
> >>
> >>
> >> Thanks,
> >> Fred
> >>
> >>
> >
> >
>
>

Re: New Virus or Something

"Fred Yarbrough" wrote in message
news:uMG4ZcmYGHA.3624@TK2MSFTNGP02.phx.gbl...
> Has anyone seen a root kit using the following files?
> Zzgdqzow.dll Zzgdqzow.exe Zzgdqzow.drv Zzgdqzow.ime Zzgdqzow.sys
> Zzgdqzow.tmp
>
> My server has these files. Help!!!
>
>
>
>
>
>

the odd thing is that I can find nothing on these files on the internet,
google, mcafee, hotbot, msn all show up nothing...
So I can be of no help in telling what caused it :(
Jon

Re: New Virus or Something

"Fred Yarbrough" wrote in message
news:uMG4ZcmYGHA.3624@TK2MSFTNGP02.phx.gbl...
> Has anyone seen a root kit using the following files?
> Zzgdqzow.dll Zzgdqzow.exe Zzgdqzow.drv Zzgdqzow.ime Zzgdqzow.sys
> Zzgdqzow.tmp
>
> My server has these files. Help!!!
>
>
>
>
>
>

the odd thing is that I can find nothing on these files on the internet,
google, mcafee, hotbot, msn all show up nothing...
So I can be of no help in telling what caused it :(
Jon

Re: New Virus or Something

">>Smith<<" wrote in message
news:e34hRjnYGHA.4860@TK2MSFTNGP02.phx.gbl...
> Hope you have back up...then reformat....
>
>
> AS I said for many years, MS finally says the best way to rid of problems
> is REFORMAT.
>

which as I recall is what MS also has been saying for years . . .

>
> "Fred Yarbrough" wrote in message
> news:uMG4ZcmYGHA.3624@TK2MSFTNGP02.phx.gbl...
>> Has anyone seen a root kit using the following files?
>> Zzgdqzow.dll Zzgdqzow.exe Zzgdqzow.drv Zzgdqzow.ime Zzgdqzow.sys
>> Zzgdqzow.tmp
>>
>> My server has these files. Help!!!
>>
>>
>>
>>
>>
>>
>> "Fred Yarbrough" wrote in message
>> news:uBFOqhiYGHA.4248@TK2MSFTNGP05.phx.gbl...
>>> We have had 3 separate Windows 2000 servers running IIS come down with
>>> something. This started about 2 weeks ago and it has the following
>>> symptoms.
>>>
>>> The server is very slow to login to. Once up, if you go to the Event
>> Viewer
>>> you can see entries but cannot go into an entry to view the details of
>>> it.
>>> When you go to Manage the computer, IIS is completely gone from the
>>> Management MMC. If you go to Add and Remove Programs it looks all funky
>>> like C&lose for the button and the title script is all jammed together
>>> and
>>> nothing shows up. All websites are down. We have had to rebuild 3
>> servers
>>> because we could not figure out what was going on. We are running
>>> Trend's
>>> Office Scan Antivirus on the boxes and most all patches are applied.
>>> Any
>>> Ideas?
>>>
>>>
>>> Thanks,
>>> Fred
>>>
>>>
>>
>>
>
>

Re: New Virus or Something

">>Smith<<" wrote in message
news:e34hRjnYGHA.4860@TK2MSFTNGP02.phx.gbl...
> Hope you have back up...then reformat....
>
>
> AS I said for many years, MS finally says the best way to rid of problems
> is REFORMAT.
>

which as I recall is what MS also has been saying for years . . .

>
> "Fred Yarbrough" wrote in message
> news:uMG4ZcmYGHA.3624@TK2MSFTNGP02.phx.gbl...
>> Has anyone seen a root kit using the following files?
>> Zzgdqzow.dll Zzgdqzow.exe Zzgdqzow.drv Zzgdqzow.ime Zzgdqzow.sys
>> Zzgdqzow.tmp
>>
>> My server has these files. Help!!!
>>
>>
>>
>>
>>
>>
>> "Fred Yarbrough" wrote in message
>> news:uBFOqhiYGHA.4248@TK2MSFTNGP05.phx.gbl...
>>> We have had 3 separate Windows 2000 servers running IIS come down with
>>> something. This started about 2 weeks ago and it has the following
>>> symptoms.
>>>
>>> The server is very slow to login to. Once up, if you go to the Event
>> Viewer
>>> you can see entries but cannot go into an entry to view the details of
>>> it.
>>> When you go to Manage the computer, IIS is completely gone from the
>>> Management MMC. If you go to Add and Remove Programs it looks all funky
>>> like C&lose for the button and the title script is all jammed together
>>> and
>>> nothing shows up. All websites are down. We have had to rebuild 3
>> servers
>>> because we could not figure out what was going on. We are running
>>> Trend's
>>> Office Scan Antivirus on the boxes and most all patches are applied.
>>> Any
>>> Ideas?
>>>
>>>
>>> Thanks,
>>> Fred
>>>
>>>
>>
>>
>
>

Re: New Virus or Something

"Fred Yarbrough" wrote in message
news:Oqu2YouYGHA.3868@TK2MSFTNGP04.phx.gbl...
> Yep, that is what we have done but the scary part is that I do not know
> how
> it happened.
>

Well, I was concerned when I saw your "most patches" comment.

If you had been able to keep an image from one of them then
something may have been discovered. Keep in mind that your
environment might have facilitated spread from the initial entry
machine onto the others even if the others had no vulnerabilities
other than configuration that did not isolate them.

Do you have any info from the headers of those Zzgdqzow files ?
as the naming may be unique for your penetration


>
> ">>Smith<<" wrote in message
> news:e34hRjnYGHA.4860@TK2MSFTNGP02.phx.gbl...
>> Hope you have back up...then reformat....
>>
>>
>> AS I said for many years, MS finally says the best way to rid of problems
> is
>> REFORMAT.
>>
>>
>>
>> "Fred Yarbrough" wrote in message
>> news:uMG4ZcmYGHA.3624@TK2MSFTNGP02.phx.gbl...
>> > Has anyone seen a root kit using the following files?
>> > Zzgdqzow.dll Zzgdqzow.exe Zzgdqzow.drv Zzgdqzow.ime
>> > Zzgdqzow.sys
>> > Zzgdqzow.tmp
>> >
>> > My server has these files. Help!!!
>> >
>> >
>> >
>> >
>> >
>> >
>> > "Fred Yarbrough" wrote in message
>> > news:uBFOqhiYGHA.4248@TK2MSFTNGP05.phx.gbl...
>> >> We have had 3 separate Windows 2000 servers running IIS come down with
>> >> something. This started about 2 weeks ago and it has the following
>> >> symptoms.
>> >>
>> >> The server is very slow to login to. Once up, if you go to the Event
>> > Viewer
>> >> you can see entries but cannot go into an entry to view the details of
>> >> it.
>> >> When you go to Manage the computer, IIS is completely gone from the
>> >> Management MMC. If you go to Add and Remove Programs it looks all
> funky
>> >> like C&lose for the button and the title script is all jammed together
>> >> and
>> >> nothing shows up. All websites are down. We have had to rebuild 3
>> > servers
>> >> because we could not figure out what was going on. We are running
>> >> Trend's
>> >> Office Scan Antivirus on the boxes and most all patches are applied.
> Any
>> >> Ideas?
>> >>
>> >>
>> >> Thanks,
>> >> Fred
>> >>
>> >>
>> >
>> >
>>
>>
>
>

Re: New Virus or Something

"Fred Yarbrough" wrote in message
news:Oqu2YouYGHA.3868@TK2MSFTNGP04.phx.gbl...
> Yep, that is what we have done but the scary part is that I do not know
> how
> it happened.
>

Well, I was concerned when I saw your "most patches" comment.

If you had been able to keep an image from one of them then
something may have been discovered. Keep in mind that your
environment might have facilitated spread from the initial entry
machine onto the others even if the others had no vulnerabilities
other than configuration that did not isolate them.

Do you have any info from the headers of those Zzgdqzow files ?
as the naming may be unique for your penetration


>
> ">>Smith<<" wrote in message
> news:e34hRjnYGHA.4860@TK2MSFTNGP02.phx.gbl...
>> Hope you have back up...then reformat....
>>
>>
>> AS I said for many years, MS finally says the best way to rid of problems
> is
>> REFORMAT.
>>
>>
>>
>> "Fred Yarbrough" wrote in message
>> news:uMG4ZcmYGHA.3624@TK2MSFTNGP02.phx.gbl...
>> > Has anyone seen a root kit using the following files?
>> > Zzgdqzow.dll Zzgdqzow.exe Zzgdqzow.drv Zzgdqzow.ime
>> > Zzgdqzow.sys
>> > Zzgdqzow.tmp
>> >
>> > My server has these files. Help!!!
>> >
>> >
>> >
>> >
>> >
>> >
>> > "Fred Yarbrough" wrote in message
>> > news:uBFOqhiYGHA.4248@TK2MSFTNGP05.phx.gbl...
>> >> We have had 3 separate Windows 2000 servers running IIS come down with
>> >> something. This started about 2 weeks ago and it has the following
>> >> symptoms.
>> >>
>> >> The server is very slow to login to. Once up, if you go to the Event
>> > Viewer
>> >> you can see entries but cannot go into an entry to view the details of
>> >> it.
>> >> When you go to Manage the computer, IIS is completely gone from the
>> >> Management MMC. If you go to Add and Remove Programs it looks all
> funky
>> >> like C&lose for the button and the title script is all jammed together
>> >> and
>> >> nothing shows up. All websites are down. We have had to rebuild 3
>> > servers
>> >> because we could not figure out what was going on. We are running
>> >> Trend's
>> >> Office Scan Antivirus on the boxes and most all patches are applied.
> Any
>> >> Ideas?
>> >>
>> >>
>> >> Thanks,
>> >> Fred
>> >>
>> >>
>> >
>> >
>>
>>
>
>

Re: New Virus or Something

We have several machines with it here now. Some are fully patched! W2K3
servers and W2K servers too.

I will be calling Microsoft as soon as we get a grasp as to what is going
on.



Thanks,
Fred



"Roger Abell [MVP]" wrote in message
news:OFIcKRvYGHA.3448@TK2MSFTNGP04.phx.gbl...
>
> "Fred Yarbrough" wrote in message
> news:Oqu2YouYGHA.3868@TK2MSFTNGP04.phx.gbl...
> > Yep, that is what we have done but the scary part is that I do not know
> > how
> > it happened.
> >
>
> Well, I was concerned when I saw your "most patches" comment.
>
> If you had been able to keep an image from one of them then
> something may have been discovered. Keep in mind that your
> environment might have facilitated spread from the initial entry
> machine onto the others even if the others had no vulnerabilities
> other than configuration that did not isolate them.
>
> Do you have any info from the headers of those Zzgdqzow files ?
> as the naming may be unique for your penetration
>
>
> >
> > ">>Smith<<" wrote in message
> > news:e34hRjnYGHA.4860@TK2MSFTNGP02.phx.gbl...
> >> Hope you have back up...then reformat....
> >>
> >>
> >> AS I said for many years, MS finally says the best way to rid of
problems
> > is
> >> REFORMAT.
> >>
> >>
> >>
> >> "Fred Yarbrough" wrote in message
> >> news:uMG4ZcmYGHA.3624@TK2MSFTNGP02.phx.gbl...
> >> > Has anyone seen a root kit using the following files?
> >> > Zzgdqzow.dll Zzgdqzow.exe Zzgdqzow.drv Zzgdqzow.ime
> >> > Zzgdqzow.sys
> >> > Zzgdqzow.tmp
> >> >
> >> > My server has these files. Help!!!
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > "Fred Yarbrough" wrote in message
> >> > news:uBFOqhiYGHA.4248@TK2MSFTNGP05.phx.gbl...
> >> >> We have had 3 separate Windows 2000 servers running IIS come down
with
> >> >> something. This started about 2 weeks ago and it has the following
> >> >> symptoms.
> >> >>
> >> >> The server is very slow to login to. Once up, if you go to the
Event
> >> > Viewer
> >> >> you can see entries but cannot go into an entry to view the details
of
> >> >> it.
> >> >> When you go to Manage the computer, IIS is completely gone from the
> >> >> Management MMC. If you go to Add and Remove Programs it looks all
> > funky
> >> >> like C&lose for the button and the title script is all jammed
together
> >> >> and
> >> >> nothing shows up. All websites are down. We have had to rebuild 3
> >> > servers
> >> >> because we could not figure out what was going on. We are running
> >> >> Trend's
> >> >> Office Scan Antivirus on the boxes and most all patches are applied.
> > Any
> >> >> Ideas?
> >> >>
> >> >>
> >> >> Thanks,
> >> >> Fred
> >> >>
> >> >>
> >> >
> >> >
> >>
> >>
> >
> >
>
>

Re: New Virus or Something

We have several machines with it here now. Some are fully patched! W2K3
servers and W2K servers too.

I will be calling Microsoft as soon as we get a grasp as to what is going
on.



Thanks,
Fred



"Roger Abell [MVP]" wrote in message
news:OFIcKRvYGHA.3448@TK2MSFTNGP04.phx.gbl...
>
> "Fred Yarbrough" wrote in message
> news:Oqu2YouYGHA.3868@TK2MSFTNGP04.phx.gbl...
> > Yep, that is what we have done but the scary part is that I do not know
> > how
> > it happened.
> >
>
> Well, I was concerned when I saw your "most patches" comment.
>
> If you had been able to keep an image from one of them then
> something may have been discovered. Keep in mind that your
> environment might have facilitated spread from the initial entry
> machine onto the others even if the others had no vulnerabilities
> other than configuration that did not isolate them.
>
> Do you have any info from the headers of those Zzgdqzow files ?
> as the naming may be unique for your penetration
>
>
> >
> > ">>Smith<<" wrote in message
> > news:e34hRjnYGHA.4860@TK2MSFTNGP02.phx.gbl...
> >> Hope you have back up...then reformat....
> >>
> >>
> >> AS I said for many years, MS finally says the best way to rid of
problems
> > is
> >> REFORMAT.
> >>
> >>
> >>
> >> "Fred Yarbrough" wrote in message
> >> news:uMG4ZcmYGHA.3624@TK2MSFTNGP02.phx.gbl...
> >> > Has anyone seen a root kit using the following files?
> >> > Zzgdqzow.dll Zzgdqzow.exe Zzgdqzow.drv Zzgdqzow.ime
> >> > Zzgdqzow.sys
> >> > Zzgdqzow.tmp
> >> >
> >> > My server has these files. Help!!!
> >> >
> >> >
> >> >
> >> >
> >> >
> >> >
> >> > "Fred Yarbrough" wrote in message
> >> > news:uBFOqhiYGHA.4248@TK2MSFTNGP05.phx.gbl...
> >> >> We have had 3 separate Windows 2000 servers running IIS come down
with
> >> >> something. This started about 2 weeks ago and it has the following
> >> >> symptoms.
> >> >>
> >> >> The server is very slow to login to. Once up, if you go to the
Event
> >> > Viewer
> >> >> you can see entries but cannot go into an entry to view the details
of
> >> >> it.
> >> >> When you go to Manage the computer, IIS is completely gone from the
> >> >> Management MMC. If you go to Add and Remove Programs it looks all
> > funky
> >> >> like C&lose for the button and the title script is all jammed
together
> >> >> and
> >> >> nothing shows up. All websites are down. We have had to rebuild 3
> >> > servers
> >> >> because we could not figure out what was going on. We are running
> >> >> Trend's
> >> >> Office Scan Antivirus on the boxes and most all patches are applied.
> > Any
> >> >> Ideas?
> >> >>
> >> >>
> >> >> Thanks,
> >> >> Fred
> >> >>
> >> >>
> >> >
> >> >
> >>
> >>
> >
> >
>
>

Re: New Virus or Something

Fred Yarbrough wrote:
> We have several machines with it here now. Some are fully patched! W2K3
> servers and W2K servers too.
>
> I will be calling Microsoft as soon as we get a grasp as to what is going
> on.
>
I'd say, create ghost images of the affected systems, scrub them and
reinstall.

You don';t have admins surfing the web from one of your servers?


Jeroen
http://wijnands.blogspot.com

Re: New Virus or Something

Fred Yarbrough wrote:
> We have several machines with it here now. Some are fully patched! W2K3
> servers and W2K servers too.
>
> I will be calling Microsoft as soon as we get a grasp as to what is going
> on.
>
I'd say, create ghost images of the affected systems, scrub them and
reinstall.

You don';t have admins surfing the web from one of your servers?


Jeroen
http://wijnands.blogspot.com

Re: New Virus or Something

I suspect that to be a very good possibility.

We have our systems patched and running Trend OfficeScan and it is not
stopping it.

We have noticed these infected machines are broadcasting out http to the
following IP addresses

61.144.253.3
61.144.253.6

Check your firewall logs for http going to either of these sites!!!!



Thanks,
Fred

wrote in message
news:1145373836.622102.261580@i39g2000cwa.googlegroups.com.. .
>
> Fred Yarbrough wrote:
> > We have several machines with it here now. Some are fully patched!
W2K3
> > servers and W2K servers too.
> >
> > I will be calling Microsoft as soon as we get a grasp as to what is
going
> > on.
> >
> I'd say, create ghost images of the affected systems, scrub them and
> reinstall.
>
> You don';t have admins surfing the web from one of your servers?
>
>
> Jeroen
> http://wijnands.blogspot.com
>

Re: New Virus or Something

I suspect that to be a very good possibility.

We have our systems patched and running Trend OfficeScan and it is not
stopping it.

We have noticed these infected machines are broadcasting out http to the
following IP addresses

61.144.253.3
61.144.253.6

Check your firewall logs for http going to either of these sites!!!!



Thanks,
Fred

wrote in message
news:1145373836.622102.261580@i39g2000cwa.googlegroups.com.. .
>
> Fred Yarbrough wrote:
> > We have several machines with it here now. Some are fully patched!
W2K3
> > servers and W2K servers too.
> >
> > I will be calling Microsoft as soon as we get a grasp as to what is
going
> > on.
> >
> I'd say, create ghost images of the affected systems, scrub them and
> reinstall.
>
> You don';t have admins surfing the web from one of your servers?
>
>
> Jeroen
> http://wijnands.blogspot.com
>

Re: New Virus or Something

Update.

There is another IP address the infected machines are trying to contact
211.235.253.131.

The file names also appear to somewhat random but have always been located
in our c:\winnt\system32 directory. They always start with z and appear as
6 files on Windows 2000 Servers. Our Windows 2003 server only shows the
single dll file.
Here is what one of our W2K servers has for these files

Zzgdqzow.dll
Zzgdqzow.drv
Zzgdqzow.ime
Zzgdqzow.log
Zzgdqzow.sys
Zzgdqzow.tmp


Fred


"Fred Yarbrough" wrote in message
news:e2HgE1vYGHA.500@TK2MSFTNGP03.phx.gbl...
> I suspect that to be a very good possibility.
>
> We have our systems patched and running Trend OfficeScan and it is not
> stopping it.
>
> We have noticed these infected machines are broadcasting out http to the
> following IP addresses
>
> 61.144.253.3
> 61.144.253.6
>
> Check your firewall logs for http going to either of these sites!!!!
>
>
>
> Thanks,
> Fred
>
> wrote in message
> news:1145373836.622102.261580@i39g2000cwa.googlegroups.com.. .
> >
> > Fred Yarbrough wrote:
> > > We have several machines with it here now. Some are fully patched!
> W2K3
> > > servers and W2K servers too.
> > >
> > > I will be calling Microsoft as soon as we get a grasp as to what is
> going
> > > on.
> > >
> > I'd say, create ghost images of the affected systems, scrub them and
> > reinstall.
> >
> > You don';t have admins surfing the web from one of your servers?
> >
> >
> > Jeroen
> > http://wijnands.blogspot.com
> >
>
>

Re: New Virus or Something

Update.

There is another IP address the infected machines are trying to contact
211.235.253.131.

The file names also appear to somewhat random but have always been located
in our c:\winnt\system32 directory. They always start with z and appear as
6 files on Windows 2000 Servers. Our Windows 2003 server only shows the
single dll file.
Here is what one of our W2K servers has for these files

Zzgdqzow.dll
Zzgdqzow.drv
Zzgdqzow.ime
Zzgdqzow.log
Zzgdqzow.sys
Zzgdqzow.tmp


Fred


"Fred Yarbrough" wrote in message
news:e2HgE1vYGHA.500@TK2MSFTNGP03.phx.gbl...
> I suspect that to be a very good possibility.
>
> We have our systems patched and running Trend OfficeScan and it is not
> stopping it.
>
> We have noticed these infected machines are broadcasting out http to the
> following IP addresses
>
> 61.144.253.3
> 61.144.253.6
>
> Check your firewall logs for http going to either of these sites!!!!
>
>
>
> Thanks,
> Fred
>
> wrote in message
> news:1145373836.622102.261580@i39g2000cwa.googlegroups.com.. .
> >
> > Fred Yarbrough wrote:
> > > We have several machines with it here now. Some are fully patched!
> W2K3
> > > servers and W2K servers too.
> > >
> > > I will be calling Microsoft as soon as we get a grasp as to what is
> going
> > > on.
> > >
> > I'd say, create ghost images of the affected systems, scrub them and
> > reinstall.
> >
> > You don';t have admins surfing the web from one of your servers?
> >
> >
> > Jeroen
> > http://wijnands.blogspot.com
> >
>
>

Re: New Virus or Something

Fred wrote on Tue, 18 Apr 2006 13:21:53 -0500:

> Update.
>
> There is another IP address the infected machines are trying to contact
> 211.235.253.131.
>
> The file names also appear to somewhat random but have always been located
> in our c:\winnt\system32 directory. They always start with z and appear
> as 6 files on Windows 2000 Servers. Our Windows 2003 server only shows
> the single dll file.
> Here is what one of our W2K servers has for these files
>
> Zzgdqzow.dll
> Zzgdqzow.drv
> Zzgdqzow.ime
> Zzgdqzow.log
> Zzgdqzow.sys
> Zzgdqzow.tmp

If you get what appears to be an infection and your AV product isn't picking
it up then it's worth getting other AV vendors to check with too. Try NAI,
you can submit them online and get an instant response.

http://vil.nai.com/vil/submit-sample.aspx

Searching for the filenames on Google will likely be pointless as the
filenames will be random, and you'll only find a match if someone else
happens to have the same filenames generated. Even then it might be
something completely different. The only sure way to find out what they are
is to get an AV product to detect the signature.

Dan

Re: New Virus or Something

Fred wrote on Tue, 18 Apr 2006 13:21:53 -0500:

> Update.
>
> There is another IP address the infected machines are trying to contact
> 211.235.253.131.
>
> The file names also appear to somewhat random but have always been located
> in our c:\winnt\system32 directory. They always start with z and appear
> as 6 files on Windows 2000 Servers. Our Windows 2003 server only shows
> the single dll file.
> Here is what one of our W2K servers has for these files
>
> Zzgdqzow.dll
> Zzgdqzow.drv
> Zzgdqzow.ime
> Zzgdqzow.log
> Zzgdqzow.sys
> Zzgdqzow.tmp

If you get what appears to be an infection and your AV product isn't picking
it up then it's worth getting other AV vendors to check with too. Try NAI,
you can submit them online and get an instant response.

http://vil.nai.com/vil/submit-sample.aspx

Searching for the filenames on Google will likely be pointless as the
filenames will be random, and you'll only find a match if someone else
happens to have the same filenames generated. Even then it might be
something completely different. The only sure way to find out what they are
is to get an AV product to detect the signature.

Dan

Re: New Virus or Something

Microsoft and Trend have confirmed this to be a new Malware/RootKit attack.
Trend is trying to develop a pattern/fix for it. We are testing samples for
them but nothing stops it yet. Watch your firewall logs for outgoing HTTP
traffic to any of the 3 IP addresses.


61.144.253.3
61.144.253.6
211.235.253.131




Thanks,
Fred


"Daniel Crichton" wrote in message
news:eaL0wc4YGHA.3972@TK2MSFTNGP04.phx.gbl...
> Fred wrote on Tue, 18 Apr 2006 13:21:53 -0500:
>
> > Update.
> >
> > There is another IP address the infected machines are trying to contact
> > 211.235.253.131.
> >
> > The file names also appear to somewhat random but have always been
located
> > in our c:\winnt\system32 directory. They always start with z and appear
> > as 6 files on Windows 2000 Servers. Our Windows 2003 server only shows
> > the single dll file.
> > Here is what one of our W2K servers has for these files
> >
> > Zzgdqzow.dll
> > Zzgdqzow.drv
> > Zzgdqzow.ime
> > Zzgdqzow.log
> > Zzgdqzow.sys
> > Zzgdqzow.tmp
>
> If you get what appears to be an infection and your AV product isn't
picking
> it up then it's worth getting other AV vendors to check with too. Try NAI,
> you can submit them online and get an instant response.
>
> http://vil.nai.com/vil/submit-sample.aspx
>
> Searching for the filenames on Google will likely be pointless as the
> filenames will be random, and you'll only find a match if someone else
> happens to have the same filenames generated. Even then it might be
> something completely different. The only sure way to find out what they
are
> is to get an AV product to detect the signature.
>
> Dan
>
>

Re: New Virus or Something

Microsoft and Trend have confirmed this to be a new Malware/RootKit attack.
Trend is trying to develop a pattern/fix for it. We are testing samples for
them but nothing stops it yet. Watch your firewall logs for outgoing HTTP
traffic to any of the 3 IP addresses.


61.144.253.3
61.144.253.6
211.235.253.131




Thanks,
Fred


"Daniel Crichton" wrote in message
news:eaL0wc4YGHA.3972@TK2MSFTNGP04.phx.gbl...
> Fred wrote on Tue, 18 Apr 2006 13:21:53 -0500:
>
> > Update.
> >
> > There is another IP address the infected machines are trying to contact
> > 211.235.253.131.
> >
> > The file names also appear to somewhat random but have always been
located
> > in our c:\winnt\system32 directory. They always start with z and appear
> > as 6 files on Windows 2000 Servers. Our Windows 2003 server only shows
> > the single dll file.
> > Here is what one of our W2K servers has for these files
> >
> > Zzgdqzow.dll
> > Zzgdqzow.drv
> > Zzgdqzow.ime
> > Zzgdqzow.log
> > Zzgdqzow.sys
> > Zzgdqzow.tmp
>
> If you get what appears to be an infection and your AV product isn't
picking
> it up then it's worth getting other AV vendors to check with too. Try NAI,
> you can submit them online and get an instant response.
>
> http://vil.nai.com/vil/submit-sample.aspx
>
> Searching for the filenames on Google will likely be pointless as the
> filenames will be random, and you'll only find a match if someone else
> happens to have the same filenames generated. Even then it might be
> something completely different. The only sure way to find out what they
are
> is to get an AV product to detect the signature.
>
> Dan
>
>

Re: New Virus or Something

This is a new form of the Backdoor.Hesive.C Trojan.



Fred



"Fred Yarbrough" wrote in message
news:uXWITx%23YGHA.4580@TK2MSFTNGP03.phx.gbl...
> Microsoft and Trend have confirmed this to be a new Malware/RootKit
attack.
> Trend is trying to develop a pattern/fix for it. We are testing samples
for
> them but nothing stops it yet. Watch your firewall logs for outgoing HTTP
> traffic to any of the 3 IP addresses.
>
>
> 61.144.253.3
> 61.144.253.6
> 211.235.253.131
>
>
>
>
> Thanks,
> Fred
>
>
> "Daniel Crichton" wrote in message
> news:eaL0wc4YGHA.3972@TK2MSFTNGP04.phx.gbl...
> > Fred wrote on Tue, 18 Apr 2006 13:21:53 -0500:
> >
> > > Update.
> > >
> > > There is another IP address the infected machines are trying to
contact
> > > 211.235.253.131.
> > >
> > > The file names also appear to somewhat random but have always been
> located
> > > in our c:\winnt\system32 directory. They always start with z and
appear
> > > as 6 files on Windows 2000 Servers. Our Windows 2003 server only
shows
> > > the single dll file.
> > > Here is what one of our W2K servers has for these files
> > >
> > > Zzgdqzow.dll
> > > Zzgdqzow.drv
> > > Zzgdqzow.ime
> > > Zzgdqzow.log
> > > Zzgdqzow.sys
> > > Zzgdqzow.tmp
> >
> > If you get what appears to be an infection and your AV product isn't
> picking
> > it up then it's worth getting other AV vendors to check with too. Try
NAI,
> > you can submit them online and get an instant response.
> >
> > http://vil.nai.com/vil/submit-sample.aspx
> >
> > Searching for the filenames on Google will likely be pointless as the
> > filenames will be random, and you'll only find a match if someone else
> > happens to have the same filenames generated. Even then it might be
> > something completely different. The only sure way to find out what they
> are
> > is to get an AV product to detect the signature.
> >
> > Dan
> >
> >
>
>

Re: New Virus or Something

This is a new form of the Backdoor.Hesive.C Trojan.



Fred



"Fred Yarbrough" wrote in message
news:uXWITx%23YGHA.4580@TK2MSFTNGP03.phx.gbl...
> Microsoft and Trend have confirmed this to be a new Malware/RootKit
attack.
> Trend is trying to develop a pattern/fix for it. We are testing samples
for
> them but nothing stops it yet. Watch your firewall logs for outgoing HTTP
> traffic to any of the 3 IP addresses.
>
>
> 61.144.253.3
> 61.144.253.6
> 211.235.253.131
>
>
>
>
> Thanks,
> Fred
>
>
> "Daniel Crichton" wrote in message
> news:eaL0wc4YGHA.3972@TK2MSFTNGP04.phx.gbl...
> > Fred wrote on Tue, 18 Apr 2006 13:21:53 -0500:
> >
> > > Update.
> > >
> > > There is another IP address the infected machines are trying to
contact
> > > 211.235.253.131.
> > >
> > > The file names also appear to somewhat random but have always been
> located
> > > in our c:\winnt\system32 directory. They always start with z and
appear
> > > as 6 files on Windows 2000 Servers. Our Windows 2003 server only
shows
> > > the single dll file.
> > > Here is what one of our W2K servers has for these files
> > >
> > > Zzgdqzow.dll
> > > Zzgdqzow.drv
> > > Zzgdqzow.ime
> > > Zzgdqzow.log
> > > Zzgdqzow.sys
> > > Zzgdqzow.tmp
> >
> > If you get what appears to be an infection and your AV product isn't
> picking
> > it up then it's worth getting other AV vendors to check with too. Try
NAI,
> > you can submit them online and get an instant response.
> >
> > http://vil.nai.com/vil/submit-sample.aspx
> >
> > Searching for the filenames on Google will likely be pointless as the
> > filenames will be random, and you'll only find a match if someone else
> > happens to have the same filenames generated. Even then it might be
> > something completely different. The only sure way to find out what they
> are
> > is to get an AV product to detect the signature.
> >
> > Dan
> >
> >
>
>

Re: New Virus or Something

wrote in message
news:1145373836.622102.261580@i39g2000cwa.googlegroups.com.. .
>
> Fred Yarbrough wrote:
>> We have several machines with it here now. Some are fully patched! W2K3
>> servers and W2K servers too.
>>
>> I will be calling Microsoft as soon as we get a grasp as to what is going
>> on.
>>
> I'd say, create ghost images of the affected systems, scrub them and
> reinstall.
>
> You don';t have admins surfing the web from one of your servers?
>

Or even from a workstation to which they are allowed
login with credentials used for server management and
from which the servers are network accessible for more
than http/https.

Roger

Re: New Virus or Something

wrote in message
news:1145373836.622102.261580@i39g2000cwa.googlegroups.com.. .
>
> Fred Yarbrough wrote:
>> We have several machines with it here now. Some are fully patched! W2K3
>> servers and W2K servers too.
>>
>> I will be calling Microsoft as soon as we get a grasp as to what is going
>> on.
>>
> I'd say, create ghost images of the affected systems, scrub them and
> reinstall.
>
> You don';t have admins surfing the web from one of your servers?
>

Or even from a workstation to which they are allowed
login with credentials used for server management and
from which the servers are network accessible for more
than http/https.

Roger

Re: New Virus or Something

Roger Abell [MVP] wrote:
> wrote in message
> news:1145373836.622102.261580@i39g2000cwa.googlegroups.com.. .
> >
> > Fred Yarbrough wrote:
> >> We have several machines with it here now. Some are fully patched! W2K3
> >> servers and W2K servers too.
> >>
> >> I will be calling Microsoft as soon as we get a grasp as to what is going
> >> on.
> >>
> > I'd say, create ghost images of the affected systems, scrub them and
> > reinstall.
> >
> > You don';t have admins surfing the web from one of your servers?
> >
>
> Or even from a workstation to which they are allowed
> login with credentials used for server management and
> from which the servers are network accessible for more
> than http/https.
>

That's of course another possibility. It's a more common cause than
some rootkit appearing mysteriously on the server.

Jeroen
http://wijnands.blogspot.com

Re: New Virus or Something

Roger Abell [MVP] wrote:
> wrote in message
> news:1145373836.622102.261580@i39g2000cwa.googlegroups.com.. .
> >
> > Fred Yarbrough wrote:
> >> We have several machines with it here now. Some are fully patched! W2K3
> >> servers and W2K servers too.
> >>
> >> I will be calling Microsoft as soon as we get a grasp as to what is going
> >> on.
> >>
> > I'd say, create ghost images of the affected systems, scrub them and
> > reinstall.
> >
> > You don';t have admins surfing the web from one of your servers?
> >
>
> Or even from a workstation to which they are allowed
> login with credentials used for server management and
> from which the servers are network accessible for more
> than http/https.
>

That's of course another possibility. It's a more common cause than
some rootkit appearing mysteriously on the server.

Jeroen
http://wijnands.blogspot.com