• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 803
  • Last Modified:

Virus that changes any exe file to *lib.exe ?

Hello Guys,
I am experiencing a weird problem on my network.
First of all I detected a sexscreensaver.exe virus on the network that was caught b nod32.
then I started to notice that all executables on my workstations have the lib attached to them.
so mspaint.exe was renamed mspaintlib.exe . and made hidden and a new shortcur mspaint.lnk was created pointing to
mspaintlib.exe

please help.
0
ammounpierre
Asked:
ammounpierre
  • 5
  • 3
2 Solutions
 
dbruntonCommented:
Virus again (well still the same virus)

http://www.sophos.com/security/analyses/viruses-and-spyware/w32malasa.html

Run Nod again.  It should get it.
0
 
ammounpierreAuthor Commented:
shall I scan all the computers on the network ?
0
 
dbruntonCommented:
Scan any computer that could have affected this one.  If it could be a network computer then scan it.
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
ammounpierreAuthor Commented:
can I run windows 2003 server in safe mode ?
0
 
dbruntonCommented:
can I run windows 2003 server in safe mode ?

You'd probably lose all your networking connections possibly if you do that.

If the virus is on the server wait for all users to be finished with the server before you do anything with that.
0
 
phototropicCommented:
Seems to be a common infection:
Win32.Malas.b (Kaspersky),
W32/Bindo.worm (McAfee),
W32.Linkfars (Symantec),
Worm/Bindo.A (Avira),
W32/Malas-A (Sophos),
Worm:Win32/Malas.gen (Microsoft)

It is spread via P2P file sharing, so you might want to review whatever user education program you have in place regarding that sort of thing.
Kaspersky has a removal tool:

http://www.kaspersky.nl/en/virus-removal-tools/p2p-worm.win32.malas.b.html

Symantec have manual removal instructions:

http://www.symantec.com/security_response/writeup.jsp?docid=2007-110506-1023-99&tabid=3

If some of your network pcs are running P2P file sharing software and downloadinhg files, this is just the first of many infections.  People should not use work computers to download music and porn. You should get on top of this immediately...

0
 
ammounpierreAuthor Commented:
and how do I rename my exe files ?? (from xyzlib.exe to xyz.exe )
thanks
0
 
dbruntonCommented:
Windows Search

Do a search on *lib.exe

That should return all of the files concerned.  I don't think there will be too many from reading what the virus does.

Note the attached example.  In this one it's searching drives C: and E:  Change that to your own drives configuration.
search.jpg
0
 
dbruntonCommented:
Once it's found the files you should be able to click on them.  Press F2 to rename.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now