Jump to content


Recommended Posts

first timer here,


we are a corporate customer of MAB, and we are fighting an outbreak of this worm. Trend started detecting it yesterday. Trend usually seems to clean it (as does Malwarebytes) but within hours, the PC gets re-infected. we have blocked (at the firewall) the outbound connections it tries to make. but PCs are getting infected as soon as they get cleaned.





Link to post
Share on other sites

What outbound connections did you block at your firewall? A client of mine got infected about the same day as you and we can't seem to find what file that is running that keeps placing entries back into the registry. We've pretty much deleted the folder it creates under the Users\%username%\appdata\roaming\Microsoft\ folder as well as put a GPO in affect that disallows running exe from those folders, but still can't find the source file that keeps dropping the registry entries.

Link to post
Share on other sites

if you read the link from Trend, there are about 6 websites that it tries to send the information to. we blocked those. trend real time seems to catch the files and delete them. be warned, the virus does seem to kill XP and server 2003 devices. use MBAM exclusively to clean those, that seems to work ok (be still be careful). you should also disable scheduled tasks on PCs. .WPL files should be deleted also, that seems to be a main vector. we enabled windows firewall on PCs and temporarily disabled inbound ports 445 (SMB) and 139 (netbios) as it seems to propagate via those. that had other consequences but we had to nail this down first. 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.