- Dec 18, 2001
- 24,036
- 21
- 81
Our network was just hit with this. It uses the LSASS exploit. Some of the less used desktops and new machines didn't have their patches, and someone must have brought this in on their laptop.
The reason I'm posting this is although Computer Associates InoculateIT will detect it (after the infection), the Symantec and Sophos removal tools for Forbot/Agobot/Gaobot are not detecting it. InoculateIT cannot remove it.
What is worse, is that a manual removal is proving difficult - it is using tactics I've seen recent spyware use. A combination of the Run/RunOnce registry keys, and a Service that is disabled and "marked for deletion", but still Starts.
The files are "winjsd.exe" called Windows JavaScript Daemon and "wmon32.exe" called WSA Configuration. winjsd.exe is opening up so many ports that it is congesting the network.
The reason I'm posting this is although Computer Associates InoculateIT will detect it (after the infection), the Symantec and Sophos removal tools for Forbot/Agobot/Gaobot are not detecting it. InoculateIT cannot remove it.
What is worse, is that a manual removal is proving difficult - it is using tactics I've seen recent spyware use. A combination of the Run/RunOnce registry keys, and a Service that is disabled and "marked for deletion", but still Starts.
The files are "winjsd.exe" called Windows JavaScript Daemon and "wmon32.exe" called WSA Configuration. winjsd.exe is opening up so many ports that it is congesting the network.
Facebook
Twitter