From: Jeff Shultz 

On Fri, 14 Jan 2005 22:00:21 -0500, Geo wrote:

> "Mike N."  wrote in message
> news:mscfu0t70m9cbdtlbifprl5opace69i89l{at}4ax.com...
>
>>    I've not run into this one yet...does it resist detection/removal, or
>> just come back by itself?
>
> Nothing I've found can detect or remove it. It disables AV software from
> seeing it and it's a persistent little bugger that has managed to avoid my
> removal attempts (my kids machine got infected and we ended up formatting
> it). Lots of customers seem to be getting hit by it too.
>
> What I noticed was a sasser like scan for port 445 to random IP addresses
> going out from my network, tracked it back to an IP address did a netstat
> -n and saw the machine was infected, then ran avg, spybot, adaware, some
> web av check, nothing showed the machine as infected but it sure as heck
> was. I did see usb2.exe (or maybe it was winusb2.exe) running in the task
> list and that turned out to be the virus. Once I knew that I had infected
> customers who were having trouble cleaning check for the task and they too
> had it running.
>
> Geo.

We block 445 at the routers... all the routers. So far we haven't had any
customers complain.

It's actually one of the few portblocks that I agree with my boss on.

--- BBBS/NT v4.01 Flag-5