Tuesday, April 19, 2005

Possible Worm getting around

Variants may create different names. Earlier "strains" created an EXE called "netmonl.exe" or "netmom.exe", or even "netmon.exe" in different locations.

If you are running XP, update to SP2 and download the Microsoft AntiSpyware tool (used to be "Giant AntiSpyware). It will notify you when the service tries to reinstall itself after you delete the EXE, and you can have it blocked, effectively preventing it from spreading.

Your machine will still have this bad application, however, so update your OfficeScan virus defs and have it do a scan to nab and remove it completely. If for some reason you do not have OfficeScan running or installed (for example, software conflicts), you can quickly install it, do the cleanup, and uninstall it.

If the server was infected, and after cleanup, will now have the same service Smart Card Client (SCardClnt), but now pointing to hhh.exe instead of SCardClnt.exe.

If your computer was infected, check again your task manager for hhh.exe

Though it was not running as a process or logged in the registry, I found the following on the HDD

C:\WINDOWS\Prefetch\SCARDCLNT.EXE-179D096F.pf (12 KB) C:\WINDOWS\system32\SCardClnt.exe (0 KB)

So delete both.


http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FRANDEX%2EBN&VSect=Sn


It is NOT related to the smartcard device reader

Do a quick check on your machine for a file called "SCardClnt.exe". It may also be installed as a service.

This is a backdoor Worm that is getting around. I am trying to get rid of it now. It spreads via network shares (like how clearcase works). That backdoor payload is a variant of "CODBOT" (Codbot.Z).

1 comment:

Boston Bala said...

Updated virus Information here: SCardClnt.exe: W32/Codbot-Gen