backdoor windows.exe virus? (c.bat / .pif) 2

[Bremer]

Anyone seen this?

Windows.exe process monopolizing CPU on infected machines

Infected machines flood network with ARP requests for random IP addresses apparently based on subnet (i.e. 10.10.*.*).

On a hit, the ARP response to the infected host will kick off an (?)RPC(?) sequence to copy .pif, then c.bat, and finally windows.exe.

In addition to propagating itself, it appears to try to connect to 213.35.161.4

Affecting Win2K server and professional

Thanks...

 

[carrr]

Possibility....

http://www.fortinet.com/VirusEncycl...?method=viewVirusDetailsInfoDirectly&fid=2098

Tired of waiting for an answer? Try asking better questions. See: faq222-2244

 

[zarkon4]

Had this, the way we handled it was to disconnect all pc's from network and clean each one by removing the exe and all occurrances of .pif, the exe, and c.bat from the registry.
There can be a couple of exe's that are on it. One is similar to MS Messenger, and one is similar to windows update. If I remember correctly, msmsng.exe and wnupdate or something similar. After all pc's are clean you may then connect them to the network. BUT NOT UNTIL ALL of them are clean, If even one pc is missed, you will re-infect them all again.