W32.HLLW.Nebiwo

Hey,

I was hoping someone could give me some advice. I work in a company, and have been getting this W32.HLLW.Nebiwo every time I log on. The virus is quarantined successfully, but I can't seem to figure out how it propogates itself. According to the Symantec website, there is a key in the registry that, upon start-up copies the virus. However, I have yet to find it in the specified location in my computer's registry.

Any advise would be appreciated!

-Skeet23

 

Check:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Look for the value of Shell. It should be just "explorer.exe ".

Check the Startup folder, too.

 

Abraxas,

Does it matter what O/S I'm using? My box is running 2000, but most of the people in my company who seem to be spreading this are on Windows NT.

I did check the registry, and Shell was Explorer.exe. I assume this is fine. And there is nothing unusual in the start-up menu.

-Skeet23

 

You can check startups with this:

http://www.spywareinfo.com/~merijn/files/startuplist.zip

Post the list if you don't recognize anything suspicious. Maybe someone else will.

 

Thanks for the tip!

I gotr the list, but nothing sticks out to me. I'll post it here, and if you see something please let me know.


Running processes:

E:\WINNT\System32\smss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
E:\Program Files\NavNT\defwatch.exe
E:\WINNT\System32\svchost.exe
E:\Program Files\NavNT\rtvscan.exe
E:\WINNT\system32\regsvc.exe
E:\WINNT\system32\MSTask.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\System32\mspmspsv.exe
E:\WINNT\Explorer.EXE
E:\Program Files\Winamp\Winampa.exe
E:\Program Files\NavNT\vptray.exe
E:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\Real\RealPlayer\RealPlay.exe
E:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
E:\Program Files\MSN Messenger\msnmsgr.exe
C:\notes\NLNOTES.EXE
E:\Program Files\Remedy\Aruser.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\PROGRA~1\WinZip\winzip32.exe
E:\DOCUME~1\DAVID_~1\LOCALS~1\Temp\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[E:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Acrobat Assistant.lnk = E:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
Adobe Gamma Loader.exe.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = E:\WINNT\system32\userinit.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Synchronization Manager = mobsync.exe /logon
AtiPTA = atiptaxx.exe
WinampAgent = "E:\Program Files\Winamp\Winampa.exe "
vptray = E:\Program Files\NavNT\vptray.exe
EM_EXEC = E:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
QuickTime Task = "E:\Program Files\QuickTime\qttask.exe" -atboottime
RealTray = E:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

--------------------------------------------------

Shell & screensaver key from E:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=(NONE)
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

-Skeet23

 

Looks normal enough to me. Did you check autoexec.nt and config.nt?

Let's go back a little. What exactly is the message you receive and does it come from Windows or NAV?

 

This is the virus message. I've been getting it about a dozen times a day. It seems to be snowballing in how fast it propogates itself.

It seems like the message is from NAV, certain empoyees in my company that don't have virus protection, for whatever odd reason, are either getting these messages from the server, or not at all.

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: W32.HLLW.Nebiwo
File: C:\WINDOWS\Start Menu\Programs\Startup\~2.EXE
Location: Quarantine
Computer: DAVIDBERSE
User: Administrator
Action taken: Clean failed : Quarantine succeeded : Access
denied
Date found: Tue Apr 29 10:07:21 2003

As for your other suggestions above, I'm not sure how to do that.

Any ideas? This is driving me and my co-workers crazy!

-skeet23

 

Have you tried the removal tool from Symantec?

http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.nebiwo.removal.tool.html

Be sure to run it on all affected computers since they don't make any promises about network cleaning, and be sure the machines are offline until all are cleaned so they don't reshare the infection.

We're running out of startup locations, but you could search for autoexec and config files to see if they contain any suspicious programs.

Another possible start location that wouldn't have appeared in your list is Scheduled Tasks. Anything scheduled to run when the computer starts?

What exactly is in this folder:
C:\WINDOWS\Start Menu\Programs\Startup ?

It looks like a Win9x family menu folder and may contain something it shouldn't.

 

The removal tool, I've already tried several times. Each time disabling the network connection, and each time it comes up with nil even if there are viruses quarantined in NAV.

I can't tell you what a tremendous pain this thing is...

Within the c:\windows\start menu\programs\startup folder are just three very non-conspicous items, Office Shortcut bar,Office Start Up, and Find Fast.

> We're running out of startup locations, but you could search for > autoexec and config files to see if they contain any suspicious
> programs.

> Another possible start location that wouldn't have appeared in > your list is Scheduled Tasks. Anything scheduled to run when
> the computer starts?

How do I check these two items?

-skeet23

 

If you haven't, try an online scan with another AV:
http://housecall.trendmicro.com/housecall/start_corp.asp

The Scheduled Tasks are in Start > Programs > Accessories > System Tools.

In Control Panel, Folder Options, View tab, be sure you have hidden files visible and then search using the XP search tool, being sure you set your options to search system files, for "autoexec" and "config" files. Open them in Notepad (or use "Edit" if it appears in the context menu) to see if they contain any references to something suspicious.

Better yet, get a good file search tool here:

www.agentransack.com (look for the free searcher---it beats XP's by a mile).

Any idea where NAV has put that quarantined file so you can delete it?

Victim machines may have a registry entry disguised as NAV:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"NAV Live Update" = (path to worm)

If you find this, remove the registry entry and the target worm.

 

Thanks for the link to the scan, but my network config. won't allow it.

The Scheduled Task item, when attempting to view, gives me the following error:

The exception unkown software exception (0x006d007f) occured in the application at location 0x77eab2fo.

Do you have any idea what this means? I get it when I access Scheduled tasks through explorer, not from Start - prog - access. - etc..

I've looked at the autoexec. and config, but nothing pops out as out of the ordinary.

The key listed in your post is not in the registry.

I can't tell where the items are quarantined within Norton.

Is this insane or what....

-skeet23

 

I can just imagine how frustrating it is. This virus seems to have a large number of variants and propagation methods.

Some more places (not on all machines):


\WINNT\Profiles\All Users\Start Menu\Programs\Startup
\WINDOWS\Start Menu\Programs\Startup
\Documents and Settings\All Users\Start Menu\Programs\Startup

Apparently, the worm propagates especially fast over the network as soon as someone logs on as Admin and the infected machine then has access to all the network shares.

You could try reinstalling NAV in case it has been damaged.

Try logging in as a non-Admin user on the machine and then running a NAV scan using the "Run As...." in the context menu if only Admin can do scans with NAV.

Can you see the quarantined file(s) in NAV's quarantine section and can they be deleted from there?

You mentioned that some people have no virus protection? What prevents them from continually becoming infected and reinfecting the network?

 

I checked in all the places specified, except the dir. for Win NT, and saw nothing out of the ordinary.

NAV does quaratine the viruses and successfully deletes them. What I don't get is: Is the conituous virus notifications coming from NAV, is the virus propogating from within my system? Or are they being sent to me from infected users?

fyi. Some time back, a few months ago, there were several NAV servers decomissioned. The users pointed to these servers for Live Updates, were not notified, and aren't running current virus definitions. Some users, especially those on the road, are running god knows what.

In some cases, especially if there are a large number of quaratined items for a long period of time, it definitely begins to attack Norton. A tell-tale sign is the dissapearence of the shield in the system tray.

I can't think of what to do, besides just cleaning out the quarantine over and over again...

What do you think?

-skeet23

 

What a mess, huh?

One thing that got me curious was your mention of multiple messages during the day. The question is what prompts them to appear. That made me wonder about reinfection through the network, possibly by some Typhoid Mary that is not even aware of the infestation.

If the virus hasn't attached itself to some app you use, and using that app always causes the message, then the reinfection seems too random to be originating from your machine.

How difficult is it to be sure everyone who connects has up to date AV? Knowing nothing about your situation, I would think that this problem may be just the beginning if the hole (if that's what it is) isn't patched permanently.

Are there logs of users' connections that you could pore over to see if there are co-incidences?

The best thing, of course, would be to isolate individual machines and see what happens, but that may very well not be practical.

Do you presently have tasks scheduled?

Just for kicks, check the properties of mstask.exe:
09/27/2000 07:42p 4.71.2195.1 118,032 Mstask.exe