Hi, It's the IRC virus.
Seems that you don't have MS05-039 missing: http://www.internetsecurity.fi/v-descs/ircbot_es.shtml Best Regards Andy Schmidt Phone: +1 201 934-3414 x20 (Business) Fax: +1 201 934-9206 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Colbeck, Andrew Sent: Tuesday, August 16, 2005 06:33 PM To: Declude.JunkMail@declude.com Subject: RE: [Declude.JunkMail] VIRUS WARNING Thanks for the heads up, Kim. If you still have the files, you can do a couple more things to help the wider community: Password protect them in a zip file and submit the samples to: The handlers at the SANS Internet Storm Center, who love to chase down new mailware and will share with vendors: http://isc.sans.org/ This free webform that will check multiple antivirus vendors' current signatures (submit them one executable at a time): http://www.virustotal.com/ The open source CLAM team, which will add to their database and submit your samples to other vendors: http://www.clamav.com/ For the most detail, submit the malware you've found to the Norman sandbox, which will email you a report of what the executable does (if it's hostile, it will advise you to forward the message plus the malware to their antivirus submission email address): http://sandbox.norman.no/live.html Andrew 8) > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Kim Premuda > Sent: Tuesday, August 16, 2005 3:13 PM > To: Declude.JunkMail@declude.com > Subject: [Declude.JunkMail] VIRUS WARNING > > VIRUS WARNING > ------------- > > For the past 2 days, our server that runs IMail was bringing > the rest of our network to a crawl. If we disconnected this > server from the network, then the network would restore to > normal. Just in case anyone else is having network problems, > this may be the cause. Here's what we did to fix it. > > In the Windows Task Manager, look for either of two > programs/processes: > > mousebm.exe > mousesync.exe > > You will not be able to end these processes from Task > Manager. You must first open the Registry Editor and search > for the following folders and delete them: > > HKLM/System/ControlSet001/Services/Mousebm > HKLM/System/ControlSet001/Services/Mousesync > > HKLM/System/ControlSet002/Services/Mousebm > HKLM/System/ControlSet002/Services/Mousesync > > Then reboot the server. After rebooting, you will now be able > to delete the two offending files. They are located in: > > c:\winnt\system32\mousebm.exe > c:\winnt\system32\mousesync.exe > > > If you find that the offending files re-appear in the Task > Manager, look for the following file and delete it: > > c:\winnt\system32\i > > You will then have to repeat the above steps again. > > We searched Trend Micro, Symantec, McAfee, and Google for > these files, but none of these web sites had any information > on them. Perhaps, this virus has not yet been identified by them. > > Good luck! > > > -- > Kim W. Premuda > FastWave Internet Services > San Diego, CA > > -- > --- > [This E-mail scanned for viruses by Declude Virus] > > --- > This E-mail came from the Declude.JunkMail mailing list. To > unsubscribe, just send an E-mail to [EMAIL PROTECTED], and > type "unsubscribe Declude.JunkMail". The archives can be > found at http://www.mail-archive.com. > --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com. --- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
