Yes this file was located in a key named wintbp located in the run section
of the registry. I believe that this worm is using the same exploits that
are addressed in MS05-039. I have confirmed that once I delete the
file/registry keys and load the patch that addresses MS05-039 my symptoms go
away. The symptom appears to be an infinite reboot loop caused when
services.exe is terminated by the worm. We are using Etrust Antivirus which
did not detect this virus and once I submitted the file to CA they have come
back to me with a fix but by this point it has propagated to thousands of
machines on my network. Unfortunately we can't use our automated software
delivery tools to cleanup and install the patch because of the constant
rebooting of the infected machine. Seems like we will have to physically
visit thousands of machines tonight and continue until the job is done :(
Thoughts, comments, and suggestions are appreciated.
-----Original Message-----
From: Jacob Bresciani [mailto:jacob@bresciani.ca]
Sent: Tuesday, August 16, 2005 6:11 PM
To: focus-virus@securityfocus.com
Cc: Schlegel, Justin
Subject: Re: wintbp.exe
Was this being started up in the registry? HKLM\Software\Microsoft
\Windows\Current Version\Run....
or somewhere else?
if it was in the registry what was the key named?
Jacob Bresciani
"Passwords are like bubble gum, strongest when fresh, should never be
used by groups and create a sticky mess when left laying around"
-anon
On Aug 16, 2005, at 12:00 PM, Schlegel, Justin wrote:
Hi,
My company has recently been hit with some variety of virus that is
rebooting our machines. As far as I can tell the process causing the
problem is wintbp.exe. I have searched in google and all the major AV
vendors for this file with no luck. Does anyone have any
information on
this process as I do not know what virus I am up against?
Thanks,
Justin
