Possible New Virus ... ?

[steveox]

cool .. i tried a crack disk that sucked and couldn't get the admin password to change. also tried doing it in safe mode your way and it also didn't work. but i figure if i can't figure it out then that's probably not the problem. turns out my account didn't have any password. it's got one now though =D

 

[mechBgon]

It is some kind of Gaobot worm variant. I used a McAfee tool that identified it as Gaobot.worm.gen.f and for more background on the Gaobot family, they link to this page.

The exact method of propagation will vary between variants. However, the following characteristics are typical:

Share Propagation

The worm propagates via accessible or poorly secured network shares, and some variants are intended to take advantage of two high profile exploits:

MS03-001 (RPC Locator)
MS03-026 (Dcom RPC)
When it attempts to spread through default administrative shares, for example:

PRINT$
E$
D$
C$
ADMIN$
IPC$

Some variants carry a list of poor username/password combinations. Users should avoid securing shares with passwords containing key sequences such as:

(etc)

So giving your Admin accounts strong passwords and putting on a firewall ought to help. Incidentally, my AVG Free Edition v.7 didn't find this infection. If you feel like slapping McAfee on for a while, you can get a free trial of VirusScan 9.0 from here. Click Downloads at the top and then Free trial software. Go through the configuration and make sure they've got all the bells and whistles switched on... heuristics, compressed-file scanning, etc 🙂

Also, disable System Restore so the virus can't hide in there. How to disable SR.