Yes I would have liked to provide additional information but I was dealing
with a worm for which no definitions existed. I simply noticed a 6000
machines shutting down on their own. Wintbp.exe was running on every one of
those machines. I understand that malicous code could generate random
filenames however the fact that the same process (definately not belonging
there) was running on 6000 machines and taking up a considerable amount of
system resources led me to believe that this had to be malicous. At this
point I sent it to CA for analysis. They had not seen it before but told me
it was in fact malicous and that they would have a beta fix for me in a few
hours. Prior to this I had never seen an outbreak for which I couldn't find
some information at Symantec's website.
-----Original Message-----
From: Nick FitzGerald
To: focus-virus (at) securityfocus (dot) com [email concealed]
Sent: 8/16/2005 7:00 PM
Subject: Re: wintbp.exe
Schlegel, Justin wrote:
> My company has recently been hit with some variety of virus that is
> rebooting our machines. As far as I can tell the process causing the
> problem is wintbp.exe. I have searched in google and all the major AV
> vendors for this file with no luck. Does anyone have any information
on
> this process as I do not know what virus I am up against?
Filenames _ALONE_ are next to entirely useless as diagnostic cues for
such things. Sadly "causes the machine to reboot" is not particularly
individualistic either...
Please send a sample to your preferred AV vendor(s) (and perhaps CC a
few of their competitors you trust to hurry them along). Should they
happen to be on the following list, then I've saved you the trouble of
looking up a suitable address.
Authentium (Command Antivirus) <virus (at) authentium (dot) com [email concealed]>
Computer Associates (US) <virus (at) ca (dot) com [email concealed]>
Computer Associates (Vet/EZ) <ipevirus (at) vet.com (dot) au [email concealed]>
DialogueScience (Dr. Web) <Antivir (at) dials (dot) ru [email concealed]>
Eset (NOD32) <sample (at) nod32 (dot) com [email concealed]>
F-Secure Corp. <vsamples (at) f-secure (dot) com [email concealed]>
Frisk Software (F-PROT) <viruslab (at) f-prot (dot) com [email concealed]>
Grisoft (AVG) <virus (at) grisoft (dot) cz [email concealed]>
H+BEDV (AntiVir, Vexira engine) <virus (at) antivir (dot) de [email concealed]>
Kaspersky Labs <newvirus (at) kaspersky (dot) com [email concealed]>
Network Associates (McAfee) <virus_research (at) nai (dot) com [email concealed]>
(use a ZIP file with the password 'infected' without the quotes)
Norman (NVC) <analysis (at) norman (dot) no [email concealed]>
Panda Software <labs (at) pandasoftware (dot) com [email concealed]>
Sophos Plc. <samples (at) sophos (dot) com [email concealed]>
Symantec (Norton) <avsubmit (at) symantec (dot) com [email concealed]>
Trend Micro (PC-cillin) <virus_doctor (at) trendmicro (dot) com [email concealed]>
(Trend may only accept files from users of its products)
In general, you may find the advice under the McAfee entry best
followed for any of the others as well.
with a worm for which no definitions existed. I simply noticed a 6000
machines shutting down on their own. Wintbp.exe was running on every one of
those machines. I understand that malicous code could generate random
filenames however the fact that the same process (definately not belonging
there) was running on 6000 machines and taking up a considerable amount of
system resources led me to believe that this had to be malicous. At this
point I sent it to CA for analysis. They had not seen it before but told me
it was in fact malicous and that they would have a beta fix for me in a few
hours. Prior to this I had never seen an outbreak for which I couldn't find
some information at Symantec's website.
-----Original Message-----
From: Nick FitzGerald
To: focus-virus (at) securityfocus (dot) com [email concealed]
Sent: 8/16/2005 7:00 PM
Subject: Re: wintbp.exe
Schlegel, Justin wrote:
> My company has recently been hit with some variety of virus that is
> rebooting our machines. As far as I can tell the process causing the
> problem is wintbp.exe. I have searched in google and all the major AV
> vendors for this file with no luck. Does anyone have any information
on
> this process as I do not know what virus I am up against?
Filenames _ALONE_ are next to entirely useless as diagnostic cues for
such things. Sadly "causes the machine to reboot" is not particularly
individualistic either...
Please send a sample to your preferred AV vendor(s) (and perhaps CC a
few of their competitors you trust to hurry them along). Should they
happen to be on the following list, then I've saved you the trouble of
looking up a suitable address.
Authentium (Command Antivirus) <virus (at) authentium (dot) com [email concealed]>
Computer Associates (US) <virus (at) ca (dot) com [email concealed]>
Computer Associates (Vet/EZ) <ipevirus (at) vet.com (dot) au [email concealed]>
DialogueScience (Dr. Web) <Antivir (at) dials (dot) ru [email concealed]>
Eset (NOD32) <sample (at) nod32 (dot) com [email concealed]>
F-Secure Corp. <vsamples (at) f-secure (dot) com [email concealed]>
Frisk Software (F-PROT) <viruslab (at) f-prot (dot) com [email concealed]>
Grisoft (AVG) <virus (at) grisoft (dot) cz [email concealed]>
H+BEDV (AntiVir, Vexira engine) <virus (at) antivir (dot) de [email concealed]>
Kaspersky Labs <newvirus (at) kaspersky (dot) com [email concealed]>
Network Associates (McAfee) <virus_research (at) nai (dot) com [email concealed]>
(use a ZIP file with the password 'infected' without the quotes)
Norman (NVC) <analysis (at) norman (dot) no [email concealed]>
Panda Software <labs (at) pandasoftware (dot) com [email concealed]>
Sophos Plc. <samples (at) sophos (dot) com [email concealed]>
Symantec (Norton) <avsubmit (at) symantec (dot) com [email concealed]>
Trend Micro (PC-cillin) <virus_doctor (at) trendmicro (dot) com [email concealed]>
(Trend may only accept files from users of its products)
In general, you may find the advice under the McAfee entry best
followed for any of the others as well.
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3267092
[ reply ]