Home | About Us | OIT Home | How Are We Doing? | Virus Alerts | System and Network Status | How to Contact Us | Español

The OIT Virus Notification Program --> The OIT Virus Notification Program --> -->

The OIT Virus Notification Program

Virus Alert:  Spybot

This virus uses the same RPC security flaw as Lovesan to spread between Windows 2000 and Windows XP computers. This particular virus installs an IRC bot on the computer it infects, and this IRC bot makes is possible for a hacker to take over the computer even after the computer has been patched and the system rebooted.

Like Lovesan, this virus does not require any user intervention to infect a machine: any computer that is not patched against the flaw can become infected and can spread the virus further.

It is possible that some computers that are in the process of being infected will reboot after several minutes with an error message about a "generic host process" problem or a "RPC service" failure: it may say that the shutdown is being initiated by the "NTAUTHORITY\SYSTEM" (note: there are instructions on how to stop such a shutdown further down on this page).

The only proven protection against this virus is to patch the RPC flaw on your computer. Instructions on how to do that are available on our RPC alert page at http://www.helpdesk.umd.edu/virus/alerts/rpcflaw.shtml.

Individuals who are running McAfee anti-virus products may see a virus warning pop-up regarding a virus/worm called New Malware.b. That alert is an indication that the virus is attempting to infect your system, and that McAfee is attempting to block it. If you see this warning, your system has probably been protected from the virus by McAfee, but the virus may still have succeeded in creating a command shell that is open to hackers (it should not, however, have created the IRC bot), so you should still go through the removal steps below just to be safe.

More Details

The virus (also referred to by some vendors as Randex or RPCSDBOT) travels by scanning random IP addresses for the presence of the RPC flaw via TCP port 135. When it finds a computer that still has the flaw, it creates a remote shell on TCP port 4444 on that machine and then starts a TFTP session to transmit the virus to the Windows system32 directory, where it creates two files. Those files are either:

  • winlogin.exe
  • yuetyutr.dll

OR

  • NSTASK32.EXE
  • WINSOCK32DRV.DLL
The virus then creates a number of registry keys to ensure that the virus and the IRC bot run every time Windows is started: a list of the registry keys can be found on McAfee's Spybot alert page.

Once the IRC bot is installed, it will connect to the IRC server le.x.lu.tc and await instructions from a hacker.

According to McAfee and Trend Micro, the virus also deletes the TFTP.exe program on the infected computer, which means that the computer cannot be infected again by either this virus or by Lovesan.

Avoiding the Virus

Since no user intervention is required for the virus to move from computer to computer, the only way to avoid having the virus transmitted to your system is to apply the RPC security patch. Instructions on how to do this are available at http://www.helpdesk.umd.edu/virus/alerts/rpcflaw.shtml.

Removing the Virus

If your system has been infected by the virus, the first thing to do is to patch the system. Otherwise, your system would be infected again the moment you removed the virus. Download and install the appropriate patch as instructed at http://www.helpdesk.umd.edu/virus/alerts/rpcflaw.shtml.

Once your system has been patched, download and install Stinger, which is a stand-alone removal tool from McAfee. Run the tool to remove the virus from your system. Instructions for installing and using Stinger are available at http://vil.nai.com/vil/stinger/.

If you are running McAfee VirusScan or McAfee Netshield, you can manually update your virus definitions and run a full scan of your system as an alternative to running Stinger.

Users of the McAfee VirusScan or Netshield software can manually update their software in one of two ways. One way is to go to the McAfee corporate edition website (www.mcafeeb2b.com), click on Downloads (in the left column of options), then click on the link for DATs under the Virus Protection section. There you will find download links for both the DAT File and the SuperDAT file (the first two links). Click on and download the SuperDAT file, then double-click on the downloaded file to fully update your software.

The other way to update the software is through the VirusScan/NetShield Console component. VirusScan users can open the VirusScan Console by clicking on Start | Programs | Network Associates | VirusScan Console. Once the console window is open, select AutoUpdate from the list of tasks and then click on the Start button (the one with the green triangle) to perform the update (remember that you will need to be connected to the Internet at the time you perform this operation).

If you don't have any anti-virus software on your computer but you are a member of UMCP, you can download and install McAfee VirusScan from http://www.helpdesk.umd.edu/virus/software.shtml.

If your computer keeps rebooting too quickly to install the patch and remove the virus, there are instructions in our Frequently Asked Questions section on how to stop the shutdown.

Frequently Asked Questions

As this virus spreads, we expect to get similar questions about the virus as we did with Lovesan. Here are those questions and the answers.

Question: My anti-virus popped-up and alerted me that either New Malware.b or W32/Lovesan.worm was found on my system, but when I tried to clean or delete the virus, it said it could not do either action. Why? Is my machine infected?

Answer: If your software detected the virus but could not clean or delete it, that probably means that it actually caught the virus in its attempt to copy itself to your computer, so there was no file to clean or delete because the virus file was never created on your system. Just to be sure, check in your System32 folder (either C:\Windows\system32 or C:\Winnt\system32) for a files called NSTASK32, WINSOCK32DRV, yuetyutr.dll or winlogin (note that there is a valid Windows file called "winlogon"--do not delete the valid file). If none of those files are present, then your machine is not infected, but you should go and apply the RPC patch for your computer (http://www.helpdesk.umd.edu/virus/alerts/rpcflaw.shtml) because the virus may have succeeded in opening a command shell on your system (the shell will be destroyed when the patch is applied and the system is rebooted). If any of those files ARE present, then use the removal steps above to remove them.

Question: My computer keeps rebooting every few minutes or so (either with or without an error message). You mentioned that the virus could cause this behavior: am I infected?

Answer: It is very likely that your computer is either infected or is being attacked by a computer that is infected. Either way, you need to install the RPC patch for your system (http://www.helpdesk.umd.edu/virus/alerts/rpcflaw.shtml). Then check in your System32 folder (either C:\Windows\system32 or C:\Winnt\system32) for files called NSTASK32, WINSOCK32DRV, yuetyutr.dll or winlogin (note that there is a valid Windows file called "winlogon"--do not delete the valid file). If any of those files ARE present, then use the removal steps above to remove them.

Question: My machine is rebooting itself too quickly for me to finish installing the patch or removing the virus. What can I do?

Answer: As soon as your Windows desktop appears, click on the Start button on the desktop (or if you have key on your keyboard with the Windows symbol, hit that). When the start menu appears, choose Run. In the text box that appears, type the word command and hit the Enter or Return key on your keyboard. A command window will appear. At the command prompt, type shutdown -a and hit the Enter or Return key. That command will abort the shutdown and allow you to apply the patch and remove the virus. To exit the command window, type exit and hit the Enter or Return key.

Additional Information

For further information, visit:

McAfee: http://vil.nai.com/vil/content/v_100549.htm
Symantec: http://www.symantec.com/avcenter/venc/data/w32.randex.e.html
Trend Micro: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RPCSDBOT.A&VSect=T


To learn how to sign up to receive alerts via email about any new viruses that threaten the university, click here.

To return to the previous web page, click on the Back button of your web browser.
To return to the main VNP web page, click here.
How are we doing? Comments on this page?

This page is maintained by the Office of Information Technology
Questions and/or comments: Contact Us
Last modified: Thursday, 14-Aug-2003 08:42:44 EDT
© Monday, 23-Nov-2009 12:24:11 EST University of Maryland

 Office of Information Technology
Office of Information Technology Help Desk Web Site University of Maryland Web Site Office of Information Technology Web Site