Wednesday, May 12, 2004
W2NETMGR.EXE - COOL.EXE
The virus infected us this morning. Keylogger, trojan, it's the whole package. Google dosn't have anything on it. Neither does astalavista.box.
Searched almost all other search engines.
Spreads over the network, kills the 'RegEdit' window as soon as it opens.
Modifies the host file in system32/drivers/etc/hosts and redirects all browser requests for known antivirus websites to 127.0.1
Only known definate symptoms.
So far, the sysads have worked out the following process -
1. boot in safe mode.
2. delete all copies of wnetmgr.exe
3. delete all copies of cool.exe
4. delete all registry keys which reference the virus
5. restart into safe mode with networking.
6. change winxp cd keys.
7. install XP service pack 1
8. install updates from windowsupdate.microsoft.com
9. reboot into normal mode
10. open regedit.
11. wait.
12. if regedit dosn't get killed, you're homefree.
13. the virus infected my machine again after 2 hours so wait for a LONG while.
As of this moment, the above process will NOT clean your machine.
The virus could be a variant of W32.Donk.Q (not confirmed)
Google Revamps Blogger for Wider Appeal
Blogger, the pioneer Weblogging tool acquired by Google last year, has been revamped to appeal to a broader audience. The major change is a new look, aimed at people who have never created a blog and may not know what one is. "Our whole angle is we can pull in millions and millions of people to blogging," said Evan Williams, who co-founded the service in 1999. [More...]
Virus Arrests Continue, As Do Worms
A series of arrests in Germany for alleged computer virus creation is likely to deter casual virus writers, but worms and variants continue and the most hardened computer criminals will probably be more careful, not quelled by the arrests, according to security experts. [More...]
