I think I got a virus/trojan that tried to replace Distribute.net client!

[MWink]

Today when I rebooted my computer, I found that it want to connect to the Internet as soon as it started. I also noticed that my Distributed.net client would not work at all. I would click on it and nothing would happen. I thought it was trying to connect but I found it was a C:\Windows\System\WININIT.EXE. That program looks a LOT like a trojan. After renaming it in DOS, Distributed.net is working again. Also, there is a WININIT.LOG which talks about cracking something. Anyone else seen anything like this??? Where could it have come from?

 

[Fandu]

My first guess is that you have your main hard drive shared as "C" and full access granted correct? And you also have File sparing enabled over your modem/nic. Yes, there was an announcement last week about a trojan exactly like this.

 

[Viztech]

I would try a virus scan of that drive, and see if it identifies it.
It sounds familiar though....

viz

 

[Dale]

MWink Bovine has the info on how to remove it.

it is 'harmless' ; ) just cracks for someone else

..Dale

 

[dkappos]

Can you post the first few lines of the wininit.log file here?

 

[DanC]

<< My first guess is that you have your main hard drive shared as &quot;C&quot; and full access granted correct? And you also have File sparing enabled over your modem/nic. Yes, there was an announcement last week about a trojan exactly like this. >>



You mean I'm not supposed to have it set up that way???? - psych - just kidding.

 

[Viztech]

Yes, the reason YOUR dnetc.exe wasn't running, is that his was already running ...as a service.

Yes, I'd love to see that log file as well.

viz

 

[Wik]

The trojan they are tallking about is msinit.exe not wininit.exe

wininit.exe is the dos file windows executes to put up the splash

Intializing Windows.........

Completed updating files, continuing to load Windows...

Don't worry about it.

 

[LeBlatt]

it is 'harmless' ; ) just cracks for someone else

You call that harmless Dale ?? :Q

 

[Hydra]

<< I would try a virus scan of that drive, and see if it identifies it. >>


The problem with most trojans is that they do not behave like a virus (don't infect .exe files) but spread actively. Most virusscanners use a mix of signature and heuristic scanning. Trojans that do not have their signature in the scanner db will probably not be detected.

 

[Batti]

You can scan for free over the web at Trend Micro Housecall

 

[MWalkden]

I have something afoot in my system too!:| My home herd puts out 3500 a day and for yesterday I only got about 2500. The day before I got less. Today it appears back to normal (which is strange but good!).

The strange thing is I haven't been able to find anything using the CPUs on any of my boxes. I've been using TaskInfo2000 which lets you see everything that is loaded and/or running. The clients on every box show about 98% of the CPU useage by the clients. I'm still confused about it all!

 

[sciencewhiz]

It is possible that there is a new worm going around (possibly a derivitive of the last one). Team deathmatch had a flush of over 500 tnodes. It is possible that this new worm uses wininit instead of msinit. If you take a look at bovine's plan, you can get some more information about the last worm and also a new program to help clean the worm and other worms.

 

[nukefarmer]

Someone dropped by on the DPC forum who had a trojaned rc5/ogr client also name wininit.exe. After removing this file everything seems ok.
It was running for bymer@ukrpost.net, but this address doesn't show up in the rc5/ogr stats. Maybe he's deleted already...

DPC forum thread

 

[Wik]

:: 24-Sep-2000 13:19 (Sunday) ::
I have created a simple program that can be run on Win9x machines to
attempt to remove files associated with this most recent &quot;MSINIT&quot; worm,
as well as the VBS.Network and VBS.NetLog worms). You can download this
utility (with full source) from the following location:
http://www1.distributed.net/~bovine/wormfree.zip


Notice the names of these worms guys! wininit.exe is not a worm. Trust me. And if you did get one of the worms mentioned above you should look into some firewall programs or stop useing file sharing. You guys are so paranoid. No offense.

 

[sciencewhiz]

bymer was also the name of the e-mail address on the last trojan. It still sounds to me like this is just a variation of the last worm.

 

[MWink]

WOW! The guys in General HW were no help at all. You guys got it perfect!

Yes, I have file sharing enabled. There was something about Bymer.Scanner. It is NOT MSINIT.EXE. It is WININIT.EXE. Here is the log file:

Started at 0:19 6.10.2000
Stopped (scanned 0, found 0) at 0:19 6.10.2000
Started at 0:19 6.10.2000
Stopped (scanned 272, found 0) at 0:20 6.10.2000
Started at 0:21 6.10.2000
Stopped (scanned 4584, found 0) at 0:33 6.10.2000
Started at 0:34 6.10.2000
Stopped (scanned 890, found 0) at 0:44 6.10.2000
Started at 0:45 6.10.2000
Stopped (scanned 609, found 0) at 0:47 6.10.2000
Started at 0:48 6.10.2000
Stopped (scanned 3537, found 0) at 0:55 6.10.2000
Stopped (scanned 1168, found 0) at 0:58 6.10.2000
Started at 0:59 6.10.2000
Stopped (scanned 912, found 0) at 1:00 6.10.2000
Started at 1:01 6.10.2000
Stopped (scanned 2496, found 0) at 1:07 6.10.2000


I updated my virus scanner yesterday and it still did not pick it up. I guess I will try another one. My biggest question is WHERE DID IT COME FROM??? That has me stumped. Well, thanks for all the help.

 

[Viztech]

Hydra-
I stand corrected Sir.

MWink-
Did you get any help from Dale's link?

viz

 

[sciencewhiz]

You should also look into getting a firewall. I use Zonealarm availible for free for personal use.

Like Fandu said, it probably came because you have file sharing enabled. If you don't need file-sharing, you can disable it, otherwise you need a firewall to keep this from happening again.

 

[MWink]

viztech: Yes

sciencewhiz: I did try Zonealarm once and HATED it. I probably did get it because sharing was enabled. Usually IE will warn me that it is enabled on TCP/IP and ask me if I want to disable it. I found the &quot;Check Security&quot; box unchecked. I checked it and the next time I started IE it told me sharing was enabled. Now I have it disabled on TCP/IP so this won't happen again.

Thanks again.