Glaukus

The only thing I would like to add is that the latest Mcafee EXTRA.DAT files are fully detecting this Virus. From the bot-net to the rest of the rootkits it drops. Based on my reading most other antivirus companies are detecting this as well. If you are infected still you may want to remove your drives and scan it from a clean PC with a fully updated AV software. They provided me a stinger as well to clean infected machines. It detected most things but infected machines sometime have in excess of 1000 infected files including core files lile explorer.exe. Therefore such machines had to be rebuilt.

Mcafee is now able to detect this and in some cases even clean the infected/rooted exe's They gave me an extra.dat which I have been testing for a few days. I think they will publish this in their regular DAT file in the next 48 hours.....

I am just giving you the info I have about my case Did you run Prevx CSI against your PC? Mcafee will provide a stinger utility soon. I will post once I more info

I work with Mcafee.

Here is the latest from the AV company ------------------------ This malware connects to IRC channel. Connection information: NICK gvhmdwhu USER z020501 . . :#074711ecc JOIN #.364 :u. PRIVMSG jepabvnu :!get REMOVED URL :i.PONG :i. PING :i.PONG :i. PING :i.PONG :i. PING :i.PONG :i. PING :i.PONG :i. PING :i.PONG :i. PING :i.PONG :i. PING :i. Downloads this particular file REMOVED URL which is detected as (Generic Downloader.x). It adds an entry into the host file (127.0.0.1 ZieF.pl).It opens a port on the infected machine and waits for command on IRC channel. It also infects .exe files. Network activity: Connects to various IP's 1. 58.65.232.34 2. 211.95.79.6 3. 218.93.202.114 4. 61.235.117.81 --------------------------------------- It is worth blocking the IP or rather putting fake DNS entries for all those connections. For us we found the source EXE so we have removed it. The infected workstations slowly are getting reimaged. One more note. The AV company after full 48 hours is still fighting for a solution. This is not yet wide spread workwide based on what they tell me. In my view it cannot be cleaned. It comprimises too many OS files. Crazy stuff.....Once you identify the source just remove that and proceed with the reimaging of your PC's. Also dont forget that if this thing stays live for long it may change behaviour since it probably can autoupdate. Good luck

Hi I have singed up on this site to share my experience with this same exact problem in the last 48 hours. I have the same exact symptoms. Winlogon.exe is reaching out to the same IP and more malware are eventually loaded. The original offender is currently undetectable. I managed to find out how I was getting infected. It turns out an exe file is being loaded automatically via a script that I have. The original exe, which is present in a network share, was modified “somehow” in the last few days. Once this exe runs, Winlongon.exe starts to connect to the IP automatically and the rest of the malware follows. The file has been submitted to the AV company but after 2 days they haven't been successful in deconstructing the virus. Once I know more about the behavior I will try to post here. Good luck