OhMiOhMy Thread and trkwksvc.exe

http://forums.techguy.org/malware-r...download-software.html?highlight=trkwksvc.exe
I couldn't post a reply and apparently I can't PM either (new member restriction?) so I'm creating this new thread.

OhMiOhMy's connection problem may very well be C:\WINDOWS\trkwksvc.exe.

I found this on two computers with intermittent connection problems due to flooding the NIC with outgoing activity. Windows 2000 SP 4 - C:\WINNT and Windows XP SP2 - C:\WINDOWS.

The file I believe to be malware, trkwksvc.exe, is listed at Symantec's web site, but with completely different symptoms and this particular version was not detectable with SAV 9.0.3.1000, scan engine 71.3.0.25, definition files from 10/31/2007 rev. 16.

I found the culprit when I ran the SysInternals.com tools - Process Explorer and File Monitor. Crazy thing...when either of these tools are launched, they are terminated and their executable file is deleted from the file system. However, the malware is not clever enough to figure out these tools are running if you simply rename procexp.exe and filemon.exe to something like pr.exe and fm.exe.

The File Monitor showed me what process was deleting the procexp and filemon files and sure enough, it was trkwksvc.exe. Kill that process with Process Explorer. Delete trkwksvc.exe from your file system.

You will find entries in your registry for this that show it as "NET Service" - you'll find this listed in services.msc also, but you will likely be unable to edit or modify anything there. Search your registry for trkwksvc.exe and delete all instances of it and delete all keys for "NET Service".

This may solve your connectivity problems as you will no longer be plagued by the overwhelming network activity this things causes. I've also sent the file and my findings to Symantec, so hopefully they will soon provide virus definition files to combat this thing.

 

Just a quick follow up:

I just found this web site: www.virustotal.com

Looks to be virus, but was missed by a few of the big ones. I ran the file and here are the results:

File trkwksvc.exe received on 11.02.2007 21:26:20 (CET)
Result: 14/32 (43.75%)

Antivirus Version Last Update Result
AhnLab-V3 2007.11.3.0 2007.11.02 -
AntiVir 7.6.0.30 2007.11.02 Worm/SdBot.162304.6
Authentium 4.93.8 2007.11.02 -
Avast 4.7.1074.0 2007.11.02 Win32:SdBot-gen44
AVG 7.5.0.503 2007.11.02 Generic8.OTL
BitDefender 7.2 2007.11.02 Generic.Sdbot.55442D59
CAT-QuickHeal 9.00 2007.11.02 (Suspicious) - DNAScan
ClamAV 0.91.2 2007.11.02 -
DrWeb 4.44.0.09170 2007.11.02 -
eSafe 7.0.15.0 2007.10.28 Suspicious File
eTrust-Vet 31.2.5262 2007.11.02 -
Ewido 4.0 2007.11.02 -
FileAdvisor 1 2007.11.02 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.4.2.54 2007.11.02 -
F-Secure 6.70.13030.0 2007.11.02 -
Ikarus T3.1.1.12 2007.11.02 -
Kaspersky 7.0.0.125 2007.11.02 Heur.Trojan.Generic
McAfee 5155 2007.11.02 -
Microsoft 1.2908 2007.11.02 Backdoor:Win32/Rbot.gen!A
NOD32v2 2634 2007.11.02 probably a variant of Win32/Genetik
Norman 5.80.02 2007.11.02 -
Panda 9.0.0.4 2007.11.02 W32/Gaobot.QAN.worm
Prevx1 V2 2007.11.02 Heuristic: Suspicious Backdoor
Rising 20.16.42.00 2007.11.02 -
Sophos 4.23.0 2007.11.02 -
Sunbelt 2.2.907.0 2007.11.02 VIPRE.Suspicious
Symantec 10 2007.11.02 -
TheHacker 6.2.9.110 2007.10.27 -
VBA32 3.12.2.4 2007.11.02 suspected of Malware.Agent.23 (paranoid heuristics)
VirusBuster 4.3.26:9 2007.11.01 -
Webwasher-Gateway 6.6.1 2007.11.02 Worm.SdBot.162304.6