Another Leftover Story
Talking about virus leftovers – I recently noticed a leftover of the Conficker worm which is used by the virus to reinfect the systems, they are scheduled tasks on windows systems. I have only noticed them on Server OSs, they are named like ‘At’ and then any random numbers, usually starting with 1 like At1, At2……….At15, At4098 etc. As files they are named as At1.job…..At4753.job etc. as .job is the extension for secheduled tasks.
These tasks are used to run the infected dlls at a particular hour in a day, so, if a server has got 10 such jobs then it means that an attempt to resurrect the kido virus is made 10 times a day. These jobs try to run dlls followed by some random characters, one example would be “rundll32.exe ecaosp.hwo,cpmjb”.
Our antivirus (Kaspersky) doesn’t detect them – mainly because they are not viruses themselves but just a tool to re-enable the virus. Mcafee does detect them and cleans them up. The manual cleanup process for these jobs is well documented at http://support.microsoft.com/kb/962007 . If a system is infected with conficker the jobs are said to reappear after a few hours upon manual deletion but I didn’t see this behaviour on my servers may be because the servers were all cleaned up and only the jobs remained as – the leftovers.