Possible worm break-in?

Computing.Net > Forums > Security and Virus > Possible worm break-in?

Computing.Net: Over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to sign up now, it's free!

Original Message

Name: dan harmon
Date: February 20, 2003 at 14:11:09 Pacific
Subject: Possible worm break-in?
OS: Win2000
CPU/Ram: 128

Comment:

A research group in the building I do Help Desk work for called recently, saying that they were no longer (within the past two days) able to log on to their 7-8 NT and 2000 machines could not be logged onto over the network anymore. Looking at the user rights assignments, I noticed that "Log onto this machine from the network" was empty EXCEPT an account called "HelpAssistant." Of course, NT and 2000 don't HAVE MS based HelpAssistant accounts. Has anyone seen a worm/virus that does this?

Report Offensive Message For Removal

Response Number 1

Name: dan harmon
Date: February 20, 2003 at 14:50:44 Pacific

Reply:

Sorry about the poor grammar in the first post. I should reread the things I write, eh? Anyway, here's the problem again, in better English:
A research group in the building I do Help Desk work for called recently, saying that they were no longer (within the past two days) able to log on to their 7-8 NT and 2000 machines anymore. Looking at the user rights assignments, I noticed that "Log onto this machine from the network" was empty EXCEPT an account called "HelpAssistant." Of course, NT and 2000 don't HAVE MS based HelpAssistant accounts. Has anyone seen a worm/virus that clears this policy and adds a new, phony HelpAssistant?

Report Offensive Follow Up For Removal

Response Number 2

Name: www
Date: February 20, 2003 at 23:03:37 Pacific

Reply:

User and computer accounts ms technet
from the above link;
The primary account used to establish a Remote Assistance session. This account is created automatically when you request a Remote Assistance session and has limited access to the computer. The HelpAssistant account is managed by the Remote Desktop Help Session Manager service and will be automatically deleted if no Remote Assistance requests are pending. For more information about Remote Assistance, see Administering Remote Assistance.

Report Offensive Follow Up For Removal

Response Number 3

Name: 2
Date: February 20, 2003 at 23:47:59 Pacific

Reply:

if you haven't upgraded, it has probably been hacked. by worm or trojan or directly.

Windows .NET server 2003
You will be able to upgrade each edition to the corresponding new version (i.e. you can upgrade Windows 2000 Advanced Server to Windows .NET Enterprise Server). You cannot "downgrade" releases, however; for example, you cannot upgrade Windows 2000 Server to Windows .NET Web Server.
Likewise, you will be able to upgrade various NT 4.0 Server editions to .NET Server as well.

Report Offensive Follow Up For Removal

Response Number 4

Name: John Whitchurch
Date: February 26, 2003 at 09:03:07 Pacific

Reply:

We have had the same thing happen with the several Win2000 computers I am resposible for. We are uncertain as to the cause. I've been going around manually to change the settings and disable the HelpAssistant account. The computers had little in common except possibly one account upon which we've improved the password.

Report Offensive Follow Up For Removal


Breaks in MS word avoid line breaks in url in email extra line breaks in Dreamweaver	break in winnt xp batch files having problem with line break in word W32.Spybot.Worm removal in win 2003