New Virus form of trojan.spexta u.exe and sock.exe files are left. Any ideas?

A new virus is really doing a number on our computers. It basically makes the computer so slow that it is near unusable. I know it has a emailer built in because Symantec corporate 10.0.4 reports that it is scanning emails on some computers.  I first was flagged down by a secretary who was showing me on her computer that a virus had been found and removed by symantec. Thie virus was called   Trojan.Spexta and symantec said it had removed it. This was when the computer then became very very very slow.

I then opened the C: Drive and found a U.exe file and a Sock.exe file. The internet would no longer come up on a regular basis and the computer would literally crawl. I worked on this all day and could remove those two files but it appeared to come back within 5 minutes. This led me to believe a couple of things, either it had a file somewhere doing a redundant check or it was hitting our network so hard that it would become reinfected within 5 minutes. I believe it was the latter.

I phoned symantec support, in the past they have helped me fix problems like this on new viruses. The tech guy said he had just recieved a phone call with my exact problem and it was a 0 day virus that it had just came out.

So after a whole day of cursing and trying not to throw things I am very frustrated but This virus seems to give me tell tale signs of a couple of viruses but neither of them totally fit the bill. I now know the U.exe file is present before the Spexta virus. U.exe was the name of a file used it what I believe was the spybotsd worm that had tried to hit us earlier this year. Then almost immediately after getting a message about the spextra virus the sock.exe file is there and the computer begins to lag and grind to a halt. Internet problems begin almost immediately which tells me that there was something with the winsock may be happening. I remember a virus that placed a sock.exe file at the root drive before but cant remember the name now. I also know that this virus spreads very fast and attempts to email itself alot mroe times. It was killing our internal traffic. I also have noticed that on a couple computers that were not fully up to date the updates would not install. However this virus took out 1/3 of our completely updated computers.

I am home now and didnt bring the registry entries but when I ran hijackthis I came across a few new entries. However as soon as I remove them a few minutes later they reappear. I am guessing until the vunlerable spot is fixed the virus can keep coming.

I know its a long shot but I am wondering if someone has had this problem today or recently and found a solution. I would LOVE to hear about it.

Also the spexta virus appears in a different place then what is reported in all the fixes. The virus seems to attatch itself to office.exe this time around.All files except for this one appear at the root drive or C: in our case.

One last thing, I know the virus was hitting port 8080 which prevents it from coming in but not from spreading through our network. I have had to shutdown over 400 computers now and I have a feeling the virus is worse than we even know right now. I appreciate any help.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ItsChadAuthor Commented:
Another thing I just thought of is that recently these computers had "Buffer overflow" error messages for symantec which I know was a vulnerability in the past but thought it was fixed.
Windows XP SP2 comes with a built in firewall.

Is that enabled on the client computers (assuming you are using XP, of cause)

This should stop the virus/worm from further infecting clients.


ItsChadAuthor Commented:
It is enabled on all computers. Thanks for the attempt at helpign though. I have noticed alot of IRC traffic on our network when I analyzed the traffic yesterday. Not sure if this is part of it or not.
ON-DEMAND: 10 Easy Ways to Lose a Password

Learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees in this on-demand webinar. We cover the importance of multi-factor authentication and how these solutions can better protect your business!

ItsChadAuthor Commented:
I now know the name of the virus it is cryptexe and is pretty nasty. AVG free just released two updates today that take care of it.

Thanks for the help
We were hit and hit hard.   I think I was the call before you in the SYmantec Poool, they tole me the saem thing, which was good luck with that.   Here is what we have been doing

First we patched people to symantec client security 10.1.1001  (the buffer unflow patch)   We have 10.2  doesnt work.  

We uninstalled Norton on the servers and installed Mcafee, Mcaffee still does not find it, but it does have a feature that doersnt allow executables tio run from tempfolders.  So it blocks it effectivily.  

On each of the servers we have installed a batch file that does this

rename c:\u.exe u100.exe
rename c:\u.txt u.exe
attrib u.exe +r

We called the batch file UX.bat.  It seems to work well for now.  

The desktops that have been infected, we have been ghosting and swapping for two days.  

Other files we have found to look for:

Ont he desktop we have turned off system restore deleted out all the reg keys that point to these files.

I can't wait for August when my Symantec contract is up for renewal, and they ask me for MY 20 Grand, I am going to say with a straight face... "Good Luck with that"

  I will post more as I figure out more, good luck chief, we have been able to patch and clean some machines deleteing out temp folder under default user as well as any files we deem as garbage.   other wise is ghost and go.

Just a few remarks regarding symantec. It's not they are complete <insert swearword here>, but symantec is today one of the first AV solutions a virus is checked against during design phase.

So when symantec and others are unable to detect that malware, the virus is released.


Known for good detection / removal results and still rather unknown is kaspersky antivirus.

You should give it a try:

Here is a free 30 days trial:

Here is what ended up working for us after working with Symantec almost a full week to the day of orginal call.  

They had us update from 10.0.100 to 10.0.1001.  That did not work.  Then they had us update to 10.0.2000 that helped al little but not for infected pc's.  

We called back today to speak with them again because, we just didnt feel comfortable with our current solution.   The tech told us we needed to get off the 10.0.XXX builds because they are the problem.   That had us install 10.1.5000 which did work well, except the servers were down, the SSC was inopertable, and none of the passwords stuck.  

They then had us download 10.1.6000 and said this was the newest they had.  Install this version, get the current updates, take off the network, boot to safe mode, do a full scan and have it remove it everything it finds.  Then Boot it up.  

You need to uninstall SSC from any computer and then install, then reinstall the SSC on that computer from the 10.1.6000 build.  

- FYI McAffee v85i has worked really well since we installed it on the few machines we were having issues getting Symantec installed on.  If that happens we ran nonav, then installed McAfee, let it scan, repair and delete, took mcafee, thne installed symantec 10.1.6000 and things have been well.

So in a nutshell if you are symantec corporate user get your hands on 10.6.6000 this is the best copy they have that also works in conjunction with the Microsoft patch released yesterday, and the one that is comming in the next few days from Microsoft.

- Have fun

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ItsChadAuthor Commented:
Sorry about the delay in responding it has been crazy times.

Not that I am glad you had it but sometimes it is nice to know we are not alone. We have the virus figured out but that is about it.

The first day I went and found that 3/4's of the computers at one site had it. I went through the joy of updating their antivirus to a version of symantec that would find most of the virus then run it in safemode. We did this and asked everyone to keep computers off, well someone turned it on unknown to us and after we gave everyone the go ahead to turn them on those few computers left on reinfected the site.

So the next day, I was able to go and do some port analyzation. I found the ports that were getting hard and I blocked them, one of them however was 8080 which isnt the best case scenario for ports to block but sometimes you have to ;) We also have a packetshaper and it showed up that IRC was getting bogged down with hits, I was able to discard all traffic from IRC and this saved the other sites within our network I now believe.

The files were hooking their selves to share folders on the network and spreading that way. We researched and blocked around 5 ports I believe. To get rid of the virus I had to upgrade everyones rights on all computers so they could delete from the windows/system32 folder. This allowed all of them to remove the virus without an administrator logging in.By doing this we have it contained and are just waiting for a fix from microsoft so we can unblock the ports.

I hope my jumbled paragraphs may help someone who runs into this nasty virus. It waisted about 4 days of my life I would like to have back :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.