Nasty, Sticky Worm - "variousnames".exe

Thought I'd share this as it's been driving me nuts for a couple of days. I got a worm on my work PC which looks a lot like the old sysupd.exe with a couple of intererestingly nasty twists which made it very hard to get rid of.

The symptom is that you've got a process running in task manager that's using your spare CPU cycles (sort the tasks by CPU activity and you'll see it popping to the top every now and then). You don't recognize the process, but mine were called, variously, PCWAVE, AC, TCPCR, VBC and HOSTX. All potentially genuine-sounding names. The name changed on each reboot.

The .EXE file associated with the process that was running was hidden, and installed in various locations under WINNT after reboot (I'm running W2K).

Digging around in the registry revealed, under the RUN and RUNONCE branches for both HKCM and HKCU, references to both the program that was running and another unknown program (mine was called WODBC.EXE).

Further digging revealed a couple of more hidden files - one file purported to be an .INI file, but actually a binary with the same name, but reversed, as the running program - i.e. VBC.EXE came was accompanied by CBV.INI). In the >documents and settings\myusername\local settings\temp folder I also found two hidden .DAT files - one named like the INI file - i.e. CBV.DAT and another apparently randomly-named file (ssvvrd.dat).

Unlike the old sysupd file(s), there was no company, author etc. information in the file header. All the version information in the file(s) are blank.

The only common thread was the file sizes - the running executable was 694,272 bytes long, the "other" executable (my WODBC.EXE) was 215,040 bytes long. The .DAT file sizes were 86,016 and 98,304 bytes respectively.

Cleaning this little beast requires that you first delete the "non running executable" (my WODBC.EXE) and then reboot in safe mode. Search and destroy the files references in the registry, plus their associated .INI and .DAT partners. Check and check again that you've deleted everything, and that you've deleted the registry references in BOTH current_user and local_machine. Check both the RUN and RUNONCE branches. Miss one thing and you're back to square one again.

Sorry it's not more specific with filenames, etc, but this thing changes it's name on every reboot. The only thing I could see commonality was the file sizes of the executables and the .DAT and .INI files.

Hope this helps. I have Corporate NAV and Spysweeper on my PC, Spysweeper picked up that I had "something" running which it identified as sysupd, but it's a variant, and couldn't be cleaned.

No idea what it was doing, but I didn't want to sit around and wait to find out.

 

I'm a new user, can't read private messages yet. Please reply to the thread for now .. thanks