Posted 09 January 2010 - 06:59 AM
What this worm does ?
Svchost.exe from original system location tries to connect to 18.104.22.168 = forhomesale.ru from port 80 and as soon as it connects the svchost.exe consumes %50 of the cpu thereby after 15 minutes i get Cpu overtemperature error..I analyzed it with Process Explorer and it shows connection to service Dcom launch..If i disable dcom launch then it activates itself by RPC Service..And if i disable those services i cannot connect to msn, copy and paste you know the rest..
Ive just installed sygate firewall and blocked outgoing connection to that IP and
With Combofix I can clean up the worm COMPLETELY but i can't find out where the virus is located and what should others do if they got this worm especially if they find out about connecting to that IP/Domain..Kaspersky is still unable to identify the virus nor the malicious code on my website..
My PC is Xp Professional SP2
What can you suggest me ?