txtr8r
asked on
rbot worm?
ok this should be easy for most of you and worth 300 points but i cannot figure this one out. I have about 30 users that IT will not let on the network because of arp storms. The platforms are nt4, w2k, and xp. These machine's were not security patched but are running Mcafee 7.1. Now all are security patched and have the latest dat and engine. Macafee does not detect a virus but in the reg there are entries "start upping" and "iexplorerupdt.exe". This happened at another location last week and I manually had to delete all of the references in the reg, spyware, and files in system32 systems were clean. Now it doesn't work at this location accross town. What would cause these machines to broadcast so much? We are talking arp traffic and it is about 9000b in half a min.....
http://www.sophos.com/virusinfo/analyses/w32rbotma.html
used in DOS attacks
used in DOS attacks
ASKER
yes thank you and have tried trend micro and it does detect and deletes some but not all even in safe mode.....even if i do get it deleted in one instance i had to change the nic brd.......and for dos attacks....that is more along the lines of what i was thinking beings this is the same company....is there an easy way to prove/clean the arp cache? IT needs proof.....i am just a low desktop support person......
>> it does detect and deletes some but not all
why..... does it thrwo any error ??
why..... does it thrwo any error ??
>> thrwo
throw*
throw*
ASKER
cannot delete in use therefore i go into safe mode no network connection
ASKER
am i looking at to many variables with 3 diff platforms?
ASKER
oh one more thing last week at the other local it was start upping w/ taksmgr.exe........why would the file name change is this what the rbot does????
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Upping is alse related to Worm Rbot !!
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
i started those scanning before i left tonite on one machine will check it tomorrow.......do you have any info on the dos attacks how to detect? should I give it a mac addy to IT can they check it or is this the wrong ave.....reason why i ask is the network admin was just removed.......
ASKER
none worked.....back to the old search and delete works on some machines and not on others......last time i had a question cisco came out with a known issue a week later maybe so will mcafee or some other security company thanks and i would like to give you each 100 pts for trying but how would i go about that?
Sorry to listen that....... you can ask in the Support area for the refund for this question :)
good luck :)
good luck :)
Trend Micro should detect it if its present on the machines >> http://uk.trendmicro-europe.com/consumer/security_info/ve_detail.php?Vname=WORM_RBOT.ABQ
run this online virus scan to verify it >> http://housecall.trendmicro.com/