virus OWNER.EXE through AOL

virus OWNER.EXE through AOL

Posted in the Norwalk Virus Forum

Binesh Balan

Bangalore, India

#1 Feb 4, 2007
OWNER VIRUS REMOVAL SOLUTION

IF YOU SEE THIS FILE ( OWNER.EXE IN YOU TASK MANAGER ) THEN YOUR SYSTEM IS INFECTED



This is a DDOS attack which uses stack-based buffer overflow in Symantec Antivirus and Client Security allows remote attackers to execute arbitrary code via unknown attack vectors. The patch for this is not at released.

You can see here the series of SYN attack

It uses 2 types of ports, port no 666 and 2967,

Port no: 666 uses Trojan Attack FTP (Trojan.Win32.FTP_Attack), which is level 8 that means Highly Dangerous Trojan,

Port no: 2967 is used by ssc- agent (Symantec System Center)

Which will create a series of connection through port no 2967, and start sending SYN attack to targeted system (desired by remote computer)



Owner.exe is just establishing the connection to remote hacker through port no 666
Deleting this file is temp solution

Its is easy to delete this file ,

Just execute this command:( before deleting this file , pls read below)

cd c:\windows\system32
Attrib.exe owner.exe –h –r –s

Now u can see that file in system32 folder

Just type this command to del: del owner.exe

There are two more entries in c:\windows\prefatch folder

Delete these entries:

Entries will be like this Owner.exe-<HEX mem value > .pf [delete this first]

Due to this only Owner.exe is started again…

While windows startup, it will read files in that folder ( prefatch ),
it make use of new windows performance increasing technology to restart the Trojan



Delete the startup file in msconifg

And
In run type this

reg delete HKLM\Software\Microsoft\Window s\CurrentVersion\Run\Microsoft

or run > regedit

Search owner.exe, delete all entries.

Once it established the connection through port no 666

It started sending the [ shares, computer name , services running all network info … etc]

YOU CAN SEE THIS IN THE PACKET DECODER



EMERGENCY SOLUTION FOR THIS IS BLOCK PORT NO 666 IN ROUTER OR FIREWALL

We can’t block port no 2967 since it has been used by Symantec Antivirus
kaushak

Delhi, India

#2 Mar 7, 2007
this article is good
but not very good
john

UAE

#3 Dec 28, 2007
very helpful, Thanks
aby

UAE

#5 Apr 27, 2008
damn good ! keep it up
mohammed

Atlanta, GA

#6 Aug 7, 2010
super, thanks dude

Tell me when this thread is updated:

Subscribe Now Add to my Tracker

Add your comments below

Characters left: 4000

Please note by submitting this form you acknowledge that you have read the Terms of Service and the comment you are posting is in compliance with such terms. Be polite. Inappropriate posts may be removed by the moderator. Send us your feedback.

Norwalk Virus Discussions

Title Updated Last By Comments
News Why norovirus is such a menace (Feb '14) Jun 22 livewell3 44
News Norovirus outbreak at Tansley Woods LTC, retire... (Mar '14) Mar '14 Karen Lorenzo 2
News U.S. hit by new stomach bug spreading around globe (Jan '13) Jan '13 Anonymous 1
News Residents quarantined with norovirus (Jan '13) Jan '13 J Mueller 1
nora virus possible help; (Mar '10) Dec '12 andrew j langham 3
News West Nile Virus Found In Norwalk Mosquitoes (Aug '12) Aug '12 andrew j langham 1
News Norovirus likely culprit in illness among Cuba ... (Jan '12) Jan '12 pict 1
More from around the web