Just a heads up that there's likely to be a new virus as msclock.exe in the windows\system32 directory that gets added to hklm\software\microsoft\windows\run and runservice It seems to replicate using common shared folders with weak passwords. msclock.exe looks like internet explorer if you look at the icons and has a description of internet explorer. Not much else is known at the moment. Nav with avdefs of today do not pick it up, neither does panda a/v software.
With msclock.exe running you will not be able to launch regedit or taskmgr. rename these files and then run them.....more details to follow....argh i hate consulting sometimes.
msclock.exe virus
Categories:
7 Comments
Categories
- .Net (1)
- 404 pages (4)
- ADP (1)
- ADSL (5)
- AIX (7)
- ASP (4)
- ActiveSync
- Adsense (2)
- AmericanFootball (1)
- AntiSpyware (1)
- AntiVirus (19)
- Apache (5)
- Audible Books (3)
- Audio (4)
- AximElated (13)
- B2 (2)
- Backup (14)
- BackupExec (3)
- Backups (7)
- Banking (3)
- Belkin (2)
- Beta Testing (9)
- Blackberry (9)
- Blog2MT (5)
- Bloggar (2)
- Blogger (4)
- Blogging (54)
- BlueJackq (1)
- Bluetooth (4)
- Books (19)
- Buckeyes (1)
- Bugs (41)
- CSS (23)
- Car (6)
- Cats (6)
- Chat (6)
- Christian (3)
- Church (3)
- Cold (1)
- Computer Hardware (5)
- Concerts (9)
- Control Panel Backup (3)
- Creative Zen (3)
- Customers
- DNS (4)
- DST (6)
- DVD Burning (1)
- Defender (1)
- Deferred
- Dell (19)
- Directories (2)
- Disaster Recovery Restores (13)
- Domain Names (4)
- Domain migration (1)
- Dreamhost (4)
- Eating Out (1)
- Email (39)
- England (3)
- Evernote (4)
- Exams (10)
- Excel (2)
- Exchange / Outlook (87)
- Extensions (10)
- Facebook (1)
- Films (26)
- Firefox (41)
- Firewalls (10)
- Fitness (1)
- Flash (4)
- Flash Mobs (8)
- Flickr (21)
- Food (10)
- FriendsInTech (10)
- Froderick (1)
- Funny Pages (101)
- GPS (20)
- Games (8)
- Garmin (3)
- Geoblogging (10)
- Geocaching (18)
- Geotagging (4)
- Ghost (3)
- Gmail (9)
- Gnomads (1)
- Google (39)
- GoogleMaps (5)
- Greasemonkey (19)
- Group Policy (2)
- Hacking (10)
- Hasweb (5)
- Holidays (13)
- Home repairs (1)
- Hosting (15)
- Hotfixes (4)
- Hyper-V (5)
- IBM (1)
- IIS (7)
- ISP's (3)
- Imported Blog (996)
- Installed Greasemonkey Scripts (13)
- Instant Messaging (2)
- Internet Explorer (14)
- Intuit (1)
- Itunes (2)
- Java (1)
- Job Hunting (3)
- KVM (1)
- Laptops (6)
- Library (4)
- Links (5)
- Linux (5)
- Live Communication Server (3)
- Lotus Notes (10)
- MBSA (1)
- MP3 (3)
- Mambo (1)
- Mandrake (6)
- Maps (3)
- Meme (1)
- Microsoft (93)
- Microsoft Max (1)
- MovableType (68)
- Moving to the states (28)
- Mozilla (14)
- Music (36)
- Networking (12)
- News (28)
- ODBC (1)
- Odeo (1)
- Office (21)
- OneCare (4)
- OneNote (4)
- Other Blogs (25)
- PHP (14)
- Patches (14)
- Perl (1)
- Photo Friday (2)
- Photos (78)
- Pipex (3)
- PocketPc (12)
- Podcast (9)
- Popfile (1)
- Powerpoint (1)
- Powershell (2)
- Powertoys (2)
- Privacy (1)
- Productivity (1)
- Programming (2)
- Qiq hosting (1)
- Quickbooks (1)
- RSS Feeds (31)
- RSS Readers (23)
- Rants & Complaints (30)
- Real Life (118)
- Remote desktop control (6)
- Resource Kits (4)
- Restaurants (3)
- RevDrives (2)
- Ricoh (1)
- SBS (15)
- SQL (4)
- Sage (2)
- Scenery (1)
- ScreenCaptures (1)
- Scripting (6)
- Search Engines (34)
- Security (86)
- Settling in (27)
- SharedView (1)
- Sharepoint (2)
- Shopping (46)
- Skype (9)
- Software Reviews (3)
- Spam (63)
- Sprint (2)
- Spyware (27)
- Support (4)
- Symantec (28)
- Synctoy (1)
- SystemCenterEssentials (1)
- TV (10)
- Tater (1)
- Taxes (1)
- Technet (4)
- Telephones (38)
- Terminal Services (9)
- Theatre (5)
- Thunderbird (2)
- Timeslips (2)
- Toshiba (12)
- Training (7)
- Tutorials (1)
- UK Locations (2)
- Ubuntu (4)
- Uniform Server (4)
- Utilities (59)
- VOIP (4)
- VPN (7)
- Veritas (2)
- Virtual PC (10)
- Virus (70)
- Visio (1)
- Vista (8)
- Visual Basic (1)
- Visual Studio (1)
- Vmware (1)
- W.Bloggar (2)
- WHS (9)
- WRT54G (2)
- WSUS (28)
- Web Browsers (18)
- Webcams (1)
- Webservers (9)
- Windows 2000 (51)
- Windows 2003 (30)
- Windows 2008 (4)
- Windows NT (6)
- Windows Update (25)
- Windows XP (49)
- Wireless (26)
- Wordpress (13)
- Work (73)
- XPSP2 (17)
- Zoo (1)
- Zooomr (8)
- bookmarking (1)
- copiers (1)
- ie7 (3)
- ipod (2)
- passwords (1)
- pumpkin (1)
Monthly Archives
- October 2008 (5)
- September 2008 (3)
- August 2008 (8)
- July 2008 (3)
- June 2008 (9)
- May 2008 (14)
- April 2008 (6)
- March 2008 (4)
- February 2008 (11)
- January 2008 (14)
- December 2007 (17)
- November 2007 (26)
- October 2007 (10)
- September 2007 (11)
- August 2007 (12)
- July 2007 (11)
- June 2007 (18)
- May 2007 (19)
- April 2007 (15)
- March 2007 (28)
- February 2007 (26)
- January 2007 (14)
- December 2006 (10)
- November 2006 (13)
- October 2006 (16)
- September 2006 (15)
- August 2006 (24)
- July 2006 (24)
- June 2006 (32)
- May 2006 (19)
- April 2006 (22)
- March 2006 (29)
- February 2006 (30)
- January 2006 (23)
- December 2005 (20)
- November 2005 (35)
- October 2005 (41)
- September 2005 (39)
- August 2005 (63)
- July 2005 (65)
- June 2005 (52)
- May 2005 (30)
- April 2005 (34)
- March 2005 (50)
- February 2005 (57)
- January 2005 (54)
- December 2004 (21)
- November 2004 (33)
- October 2004 (41)
- September 2004 (33)
- August 2004 (46)
- July 2004 (35)
- June 2004 (25)
- May 2004 (37)
- April 2004 (38)
- March 2004 (47)
- February 2004 (58)
- January 2004 (88)
- December 2003 (69)
- November 2003 (65)
- October 2003 (68)
- September 2003 (78)
- August 2003 (129)
- July 2003 (123)
- June 2003 (69)
- May 2003 (78)
- April 2003 (67)
- March 2003 (76)
- February 2003 (77)
- January 2003 (94)
- December 2002 (39)
- November 2002 (43)
- October 2002 (74)
- September 2002 (123)
- August 2002 (70)
- July 2002 (56)
- June 2002 (66)
- May 2002 (91)
- April 2002 (27)
- March 2002 (33)
Pages
Search
About this Entry
This page contains a single entry by published on March 23, 2004 2:30 PM.
Inappropriate adverts was the previous entry in this blog.
Virus update. is the next entry in this blog.
Find recent content on the main index or look in the archives to find all content.
Not "likely to be a new virus" but it is here! My place of employment got nailed.
The virus apparently came into our network on Sat. 3/20 at about 10:00AM. It stayed dormant until Tuesday 3/22 until a bit before 10:00AM. Mcafee is calling it a new variant of the SDbot.worm. You accurately described it, but there is one other file it drops into the winnt(windows)\system32 folder. Its exact name esapes me but it is something like _data_dat.dat - or very similar. I have also seen it in the C:\ directory (on my infected machine which is running Win2K SP4 with all patches).
This critter likes port 445 and my machine was trying to reach the mothership of some other machine in Estonia on port 8888.
Oh yea, it kills the running processes of various AV software. I tried running McAfee 7.1 Enterprise, it starts runs a scan for about 1 second, then stops. You'll easily know it if you have it if you try to bring up task mangler, it too also starts briefly then goes away, same as regedit which you mentioned previosuly.
McAfee has a fix but aren't putting it into their .dat files yet, as the fix hasn't been fully through quality checks yet. They have a superdat. I guess you'll have to wangle your way through their support chain and tell them you have the msclock.exe virus, and want the fix for the newly discovered (3/22) variant of the SDbot.worm
Jim
A friend of mine just received this charming lil file / virus. I was able to clear it by using Xteq. ( Free tweaking pgm http://www.xteq.com/ )
- After opening Xteq, I went into the Start-Up sequence (Auto-run sections 1 & 2), disabled all msclock.exe.
- Deleted temp internet files, through IE6 Tools.
- Rebooted.
- Then I deleted the msclock.exe from System32 folder.
Zone Alarm which had previously refused to load, now loaded. MS Taskmanager now loads without difficulty. AVG anti-virus runs without difficulty. All seems to run fine now. :)
It should be noted that AVG apparently has yet to add this one to their virus database.
Roger Watts
it hit me hard, i'm a nobody from nowhere, some lovely person on the internet told me how to get rid of it. eveytime i hit kazaa up for some downloading pleasure it reappears. p2p sucks. oh well, i'll take it easy on the downloading from now on. how to i get it out of the registry. help on that is really needed.
McAfee has found the virus and removes it in its latest update. I had it and couldnt get rid of it without McAfee.
Virus Dummy,
P2P does not suck, but rather, the software you use.
eTrust EZ Antivirus Version 6.1.7.0
Started scanning: 09:31:12, 05.04.2004
Major dat file v4008
Minor dat file v5356
Macro data file Apr 2 2004 (VMD Ver 1.6)
Scanning boot sectors...
C:\ Master Boot Record matches template, is OK: standard Win95 OSR2.
C:\ Partition Boot Record matches template, is OK: standard Win2000 (4).
Scanning file(s)...
C:\WINDOWS\SYSTEM32\Msclock.exe - Win32.Deebot.F worm. Deleted.
Finished scanning: 09:31:15, 05.04.2004
Number of files scanned: 1.
Number of infections: 1
Number of infected files deleted: 1
So this happened to me with Msclock.exe, I don't know anyoane else who got infected with it, at least I haven't heard of it before this, but now I know what to do, thank to everyone in this site.
Rgds Mika
As stated by a user before, this is a nasty little pain in the ass virus. Symantec has finally added it to it's signatures, as I believe most other companies have as well.
It will, however, come back if you have infected users on your network. You MUST make sure that you have an administrator password on all systems connected, or it will just come back.
In order to totally kill it, we had to rename the msclock.exe file, and delete it from the registry. There are two registry entries that will reference MICROSOFT DIGITAL CLOCK and MSCLOCK.EXE.
The are located in HKEY_LM, SOFTWARE, MICROSOFT, WINDOWS, CURRENT VERSION, RUN and RUN ONCE.
Delete them all, and you can then get the proper virus signature to kill it for good.