Malware Spoolscc.exe

[ToeCutter]

On waking up and noticing the performance on my machine was poor I discovered this C:\WINDOWS\system32\spoolcll.exe running as a service "Event Monitor". You cant kill the process because it spawns another and the file is of course locked so you can't delete it.

The best way to "switch it off" is to go into the services control panel, and set the service to disabled, then reboot.

It listens on 3 TCP ports, one of which gets randomly re-assigned every so often, so filtering on ports may not help.

Its just another scummy remote admin virus by the look of things and tftp's files from the remote system.

I'm having a hack at it now, and will post more information as I find out more.

[taxexile]

toe cutter , have a look at this downloadable programme....procexp.exe

Process Explorer for Windows 9x/NT/2000/XP/S2K3

Copyright © 1998-2004 Mark Russinovich

Sysinternals

www.sysinternals.com

Using Process Explorer

----------------------

Start procexp.exe from its home directory. Complete usage

instructions are available in the on-line help file.

See Sysinternals for more monitoring tools, including

a Registry monitor.

[email protected]

[RDN]

toe cutter , have a look at this downloadable programme....procexp.exe

Process Explorer for Windows 9x/NT/2000/XP/S2K3

Copyright © 1998-2004 Mark Russinovich

Sysinternals

www.sysinternals.com

Using Process Explorer

----------------------

Start procexp.exe from its home directory. Complete usage

instructions are available in the on-line help file.

See Sysinternals for more monitoring tools, including

a Registry monitor.

[email protected]

<{POST_SNAPBACK}>

Thanks Taxexile - so much better than Windows "Task Manager" and Norton's "Process Viewer". And I love that you can hover the mouse over the CPU usage trace and it tells you which process was using the CPU. Excellent! (Got any more like this? )

[stumonster]

"A report on the Australian Whirlpool Forum suggest that a worm is currently taking out MySQL servers running on Windows. We have seen this happen with MSSQL before (not just 'Slammer', but also SQLSnake that used SA accounts without password). The SANS Internet Storm Center suggests that a rise in port 3306 scans can be attributed to the new worm, and is asking for observations to help figure this out. It appears the worm creates a file called 'spoolcll.exe'."

thx slashdot http://it.slashdot.org/article.pl?sid=05/0...&tid=172&tid=95

[ToeCutter]

Ah yes - I've already got process explorer - one of the best utilities in my toolbox I have to say - well done sysinternals

I;ve reported the virus to trendmicro and had a look around at how this virus propagates. Early indications would seem to point at unsecured MySQL installations.