27499_up.exe??? trojan???

Discussion in 'OT Technology' started by DiScoTeknix, May 1, 2004.

  1. DiScoTeknix

    DiScoTeknix Guest

    every time i go online (specificaly aim and talking to a specific person) an executable will pop up in my windows/system32 dir as... xxxxx_up.exe where x is a number... i got 27499 the first time and 24539 or something the second time. It seems to disable the rpc thing and at first gave me the same error as msblast (shutdown in 60 seconds bla bla). I searched everywhere and couldn't find a single thing on it :ugh: anybody know what this could be? It seems to use up a lot of processing time and lags the system.
     
  2. Mirrorlure7M

    Mirrorlure7M OT Supporter

    Joined:
    Oct 28, 2002
    Messages:
    4,645
    Likes Received:
    0
    Location:
    Southwest Fl
    I have never heard of this one ??
     
  3. MattIROC

    MattIROC has a semi nice av. changed due to rules :(

    Joined:
    Mar 2, 2003
    Messages:
    4,356
    Likes Received:
    0
    Location:
    San Antonio, Tx
    sounds like a virus.. but never heard of it. did you install the fix for msblaster? is the rpc disabled in the services box?
     
  4. Wolf68k

    Wolf68k OT Supporter

    Joined:
    Dec 18, 2003
    Messages:
    4,861
    Likes Received:
    2
    Location:
    Houston, Texas
  5. DiScoTeknix

    DiScoTeknix Guest

    I can't find anything about the virus and the symptoms anywhere. I have the fix for msblaster, but rpc is enabled and set to auto, should it be disabled?? avg is what i use:big grin: awsome virus killer, even though It didn't find anything, and I used an older version of trillian and didn't like it, i will try the latest. I restarted and deleted the xxxxx_up.exe and it kept comming back as a different number.. in the same dir i noticed avserve.exe which also was a process in task manager... i disabled it in msconfig and deleted the file and it fixed all of my problems... but i know there is an avserv too which is important right?

    Is avserv the same as avserve.exe?
     
  6. col_panic

    col_panic calm like a bomb Moderator

    Joined:
    Sep 19, 2003
    Messages:
    188,160
    Likes Received:
    0
    Location:
    winter haven, fl
    you can't really disable rpc and function. i would run the blaster removal tool and patch the system
     
  7. DiScoTeknix

    DiScoTeknix Guest

    dad's pc got the same errors too, I think it was the vulnerability covered in MS04-011... did a bunch of windows updates and problem is gone. 3 different viruses since my last rebuild 6 months ago, maybe it's time to finally build a redhat box:big grin:
     
  8. Wolf68k

    Wolf68k OT Supporter

    Joined:
    Dec 18, 2003
    Messages:
    4,861
    Likes Received:
    2
    Location:
    Houston, Texas
    You keep actting like all you're trying to do is just find the virus manually but search for info on it online, and make blind stabs as to which virus it is.
    But have you run an anti-virus program on your system????
    You haven't said if you have or not.
     
  9. DiScoTeknix

    DiScoTeknix Guest

    I ran both avg and viruscan enterprise, neither of them found anything, that is why I posted and kept searching around trying to see if anybody else had the same issues. I deleted a few files that seemed suspicious and ran both antivirus software then installed all of the windows updates and all of the problems such as the 60 seconds until shutdown and excessive cpu/memory usage ceased.
     
  10. Keyzs

    Keyzs OT Supporter

    Joined:
    Nov 3, 2003
    Messages:
    814
    Likes Received:
    0
    Location:
    Charlotte, MI
    Update your virus definitions...

    http://securityresponse.symantec.com/avcenter/venc/data/w32.sasser.worm.html
     
  11. Wolf

    Wolf No one plans to take the path that brings you lowe

    Joined:
    Mar 23, 2003
    Messages:
    105,186
    Likes Received:
    10
    Location:
    Austin, TX
    Someone posted a similar thing in the main forum a couple days ago, but the numbers in the file were different. I'm guessing it's either an automatic software update thing, or it's adware/spyware AOL is installing.
     
  12. Keyzs

    Keyzs OT Supporter

    Joined:
    Nov 3, 2003
    Messages:
    814
    Likes Received:
    0
    Location:
    Charlotte, MI
    From the link above:W32.Sasser.Worm

    10. Uses the shell on the remote computer to connect back to the infected computer's FTP server, running on TCP port 5554, and retrieve a copy of the worm. This copy will have a name consisting of four or five digits, followed by _up.exe. For example, 74354_up.exe.
     
  13. DiScoTeknix

    DiScoTeknix Guest

    I had never even heard of the sasser worm until you posted Keyzs, thank you for the link/info, it shed A LOT of light on what had happened and all the random crap I found on my pc. If only I knew about it before I got rid of the worm, would have saved me 4 hours:big grin: haha.
     

Share This Page