Mark Minasi's Reader Forum
Mark Minasi's Reader Forum
Home | Profile | Register | Active Topics | Active Polls | Members | Search | FAQ | Minasi Forum RSS Feed
Username:
 Password:
Save Password
Forgot your Password?

 All Forums
 OTHER HALP! Linux, Hardware, and Anything Else
 Viruses, worms, and spyware advice
 wrm.exe		  New Topic  Reply to Topic
 Printer Friendly
Author Previous Topic Topic Next Topic  

Curt
Moderator

USA
6652 Posts
Status: offline
Posted - 02/12/2004 :  4:55:32 PM  Show Profile  Visit Curt's Homepage  Reply with Quote
I posted this a few weeks back on the MISC. forum, but with the new forum edition it belongs here.


There is a nasty BackDoor Worm out there that has serveral versions.

There is not a great deal of information out there on it, so here is what I have.
C:\WINNT\System32\wrm.exe -start is the most common location on you Win2k system. It runs as a service with the title, "SQL Service Agent" as opposed to "SQLSERVERAGENT" which runs out from MSSQL\binn\sqlagent.exe

This little program provides unseen Telnet services.
You may see this on some sites as Wollf.14. One of the five versions.
Wollf.12 to Wollf.16

If you find it, disable the service in the registry, by changing the start value to 4. This disables the service. Do this first, because you may find your attempts to stop the service result in a timeout.

You should find it in: HKLM\SYSTEM\Controlset001\services\sqlsa

You will note the image path:SQL Service Agent

Put a "notation mark in the value of the image path.
Delete this and remove it from the Recycle bin too.

I would then keep an eye on the login attempts.

I know someone will ask, so here you go.
The machine was behind a nat hardware firewall. The machine is well patched. But a different Virus definition revealed it.

One of the sites I found this morning, stated the origin as China.
Curt Spanburgh
Microsoft Certified Business Solution Specialist.
Dynamics CRM MVP
Contributing Editor, Windows IT Pro

He that is walking with wise persons will become wise, but he that is having dealings with the stupid ones will fare badly.
Proverbs 13:20


ichi
Welcome Newcomer

1 Posts
Status: offline
Posted - 05/11/2011 :  11:07:13 PM  Show Profile  Reply with Quote
a bible quote of after a tech analysis nice lol.. an xp machine with wrm.exe keeps writing to the registry at hkey-software-user\software\ icrosoft\search assistant\acmru\5601 ..02,03,04 .. dont know whats doing this i delete acmru and the "tips" container om acmru and still comes back.. no sql containers on here ..
Go to Top of Page
  Previous Topic Topic Next Topic  
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
Mark Minasi's Reader Forum © 2002-2011 Mark Minasi Go To Top Of Page
This page was generated in 0.11 seconds. Snitz Forums 2000