W32time.exe file and virus Backdoor.RemoteNC

W32time.exe file and virus Backdoor.RemoteNC

Post by Sandy Modesit » Wed, 10 Jul 2002 02:37:03



Hi,
We have had 2 of our servers (windows 2000 server SP2) affected with the
Backdoor.RemoteNC virus via the winnt\system32\W32Time.exe file.  NAV CE7.5
can't clean it since the process is running.  I was going to delete the
file, but in looking at Microsoft articles, it sounds like it is needed for
the W32Time Time service (at least that's the way it sounds).

Two questions:
1) How do I determine whether the file is actually needed or if we had the
Time Service running before this virus affected our server?
2) If I do need to delete the file and determine that I really do need it,
how do I get a "clean" copy of it.  It isn't found on any of our servers
that aren't infected (2/3 are infected).

Thanks.
Sandy

 
 
 

1. Backdoor Virus - Svchost.exe

Hello there!

I've seen this instance before.  I think my Windows 2000
Desktop PC (connected to a Win NT 4.0 Server) got hacked
as a remote host.  I'm thinking that a directory was added
to system32 directory.  When I try to shut down & logoff,
I get the following error message:

Windows cannot end this program.  It may need more time to
end this operation:
c:\winnt\system32\drivers\etc\svchost.exe

I noticed that there are several files in the etc
directory that display text files with info. from Rhino
Software displaying FTP statistics.  I can see that they
login in to my server and are piggybacking my IP address.  
There is also a regadd file to add to my registry.  It
looks like they reset my registry to point the svchost.exe
file to this new directory c:\winnt\system32
\drivers\etc\svchost.exe

Any advice on how to remove the virus (directories) and
restore my registry.

Thanks!
Scott

2. US-CA-Silicon Valley NT Internals-SMB-CIFS Software Developer-Recruiter

3. Backdoor Virus - hacker - svchost.exe

4. FS: IPX's and Sparc2's (UK)

5. backdoor virus & mueexe.exe

6. Finding DHCP masters & relay agents

7. Backdoor and Backdoor.ini Files

8. Startup in MSCONFIG

9. Backdoor Virus dvldr infecting fonts file

10. BACKDOOR.POLY virus cleaned; how to restore deleted files

11. C:\windows\absr.exe (Virus) C:\windows\ausvc.exe (virus)

12. W32TIME.EXE