Not one, not two, but THREE viruses on the loose.

I don’t know if this has been posted already and I don’t know if this is the proper place for it. If any passing admin or mod can think of a better place then feel free to move it there.

Like many other IT staff this past week I’ve spent just about every waking hour trying to take care of the MSBlast virus. In the process we’ve managed to discover two more viruses on the loose. The function of one we don’t understand yet but the other can cause some problems for anyone running Windows 2000.

The virus is an IP worm which propogates in a similar fashion to the Blast worm in that it scans sets of nearby IP addresses for open ports and then attacks them. At the time the port that it attacks seems to be random but we’re still looking to see if there is a discernable pattern.

Once on your computer the virus appears to perform two functions.

1)It masks the system file CSRSRV.dll making it invisible to patch and upgrade uilities and will also cause your computer to enter into a reboot loop when attempting to load windows.

2)Somehow (we don’t know exactly how yet) corrupts any MSOffice2000 installation on the infected machine.

To fix the reboot loop problem:

  1. Find an uninfected windows 2000 or higher machine and copy the missinng dll to a floppy disk.

2.Boot the affected machine with a Win2k install disk and when prompted for action select the option to repair a current installation then select recovery console.

  1. Enter the machine’s administrator password.

  2. Transfer the dll on floppy to the Winnt/system32 directory of your C: drive

(for the non-dos savvy just use this command

copy a:\csrsrv.dll c:\winnt\system32)

if the directory isn’t found then transfer it to c:\windows\system32

  1. Take the machine off of the network/internet and apply all service packs and patches.

  2. Reinstall Office.

With the help of Symantec we’ve put together a 4-step process to clean the machines after they’ve been made bootable again. When I can get into work to grab a copy of the CD I’ll put them online and provide a link.
As far as the 3rd virus goes the only thing we know right now is that it attacks on any open ports above 10000 that it can locate (we believe the first may function as a mask for the 2nd). If any network analysts out there observe this behavior and anything related to it I’d greatly appreciate any info you can send my way.