Posted 14 July 2007 - 08:31 AM
I am a little confused by a Worm I was fighting last week. This virus added several lines to the registry on our Windows 2000
Servers, one of the lines was in the HKLM - Run eDzy [Anti Virus] and it was startup an infected file using a random name.
We are using Symantec Corporate Edition 10 when we had issues we had the Definitions from July 4th. I forcefully killed the
process, killed the file and then removed the keys manually. I updated the server with the Rapid Release Defs and did a full
scan. Symantec's new defs (July 5th and beyond) find this as W32.SPYBOT.WORM when I researched this virus on Symantec's
Site their write up hasn't been updated since January 2007. I did some online scans and Bitdefender found this as a different trojan
as did Trend.
Later that week we found a PC with similar symptoms and rather than the eDzy key it had a Moron key. Some of the symptoms are
loss of Internet Access, loss of the ability to automatically get virus defs updated, loss of adminstrative shares. Pretty much seems
like a virus thats purpose is to cause lack of service to and from the infected pc.
I did see another message where someone had posted that particular key, I would like to know how this worm got on my network
and why Symantec hasn't listed this as a newer threat.