New Virus form of trojan.spexta u.exe and sock.exe files are left. Any ideas?
Posted on 2007-03-29
A new virus is really doing a number on our computers. It basically makes the computer so slow that it is near unusable. I know it has a emailer built in because Symantec corporate 10.0.4 reports that it is scanning emails on some computers. I first was flagged down by a secretary who was showing me on her computer that a virus had been found and removed by symantec. Thie virus was called Trojan.Spexta and symantec said it had removed it. This was when the computer then became very very very slow.
I then opened the C: Drive and found a U.exe file and a Sock.exe file. The internet would no longer come up on a regular basis and the computer would literally crawl. I worked on this all day and could remove those two files but it appeared to come back within 5 minutes. This led me to believe a couple of things, either it had a file somewhere doing a redundant check or it was hitting our network so hard that it would become reinfected within 5 minutes. I believe it was the latter.
I phoned symantec support, in the past they have helped me fix problems like this on new viruses. The tech guy said he had just recieved a phone call with my exact problem and it was a 0 day virus that it had just came out.
So after a whole day of cursing and trying not to throw things I am very frustrated but This virus seems to give me tell tale signs of a couple of viruses but neither of them totally fit the bill. I now know the U.exe file is present before the Spexta virus. U.exe was the name of a file used it what I believe was the spybotsd worm that had tried to hit us earlier this year. Then almost immediately after getting a message about the spextra virus the sock.exe file is there and the computer begins to lag and grind to a halt. Internet problems begin almost immediately which tells me that there was something with the winsock may be happening. I remember a virus that placed a sock.exe file at the root drive before but cant remember the name now. I also know that this virus spreads very fast and attempts to email itself alot mroe times. It was killing our internal traffic. I also have noticed that on a couple computers that were not fully up to date the updates would not install. However this virus took out 1/3 of our completely updated computers.
I am home now and didnt bring the registry entries but when I ran hijackthis I came across a few new entries. However as soon as I remove them a few minutes later they reappear. I am guessing until the vunlerable spot is fixed the virus can keep coming.
I know its a long shot but I am wondering if someone has had this problem today or recently and found a solution. I would LOVE to hear about it.
Also the spexta virus appears in a different place then what is reported in all the fixes. The virus seems to attatch itself to office.exe this time around.All files except for this one appear at the root drive or C: in our case.
One last thing, I know the virus was hitting port 8080 which prevents it from coming in but not from spreading through our network. I have had to shutdown over 400 computers now and I have a feeling the virus is worse than we even know right now. I appreciate any help.