msclock.exe virus

Just a heads up that there’s likely to be a new virus as msclock.exe in the windows\system32 directory that gets added to hklm\software\microsoft\windows\run and runservice It seems to replicate using common shared folders with weak passwords. msclock.exe looks like internet explorer if you look at the icons and has a description of internet explorer. Not much else is known at the moment. Nav with avdefs of today do not pick it up, neither does panda a/v software.
With msclock.exe running you will not be able to launch regedit or taskmgr. rename these files and then run them…..more details to follow….argh i hate consulting sometimes.

Comments

  1. Jim

    Not “likely to be a new virus” but it is here! My place of employment got nailed.

    The virus apparently came into our network on Sat. 3/20 at about 10:00AM. It stayed dormant until Tuesday 3/22 until a bit before 10:00AM. Mcafee is calling it a new variant of the SDbot.worm. You accurately described it, but there is one other file it drops into the winnt(windows)\system32 folder. Its exact name esapes me but it is something like _data_dat.dat – or very similar. I have also seen it in the C:\ directory (on my infected machine which is running Win2K SP4 with all patches).

    This critter likes port 445 and my machine was trying to reach the mothership of some other machine in Estonia on port 8888.

    Oh yea, it kills the running processes of various AV software. I tried running McAfee 7.1 Enterprise, it starts runs a scan for about 1 second, then stops. You’ll easily know it if you have it if you try to bring up task mangler, it too also starts briefly then goes away, same as regedit which you mentioned previosuly.

    McAfee has a fix but aren’t putting it into their .dat files yet, as the fix hasn’t been fully through quality checks yet. They have a superdat. I guess you’ll have to wangle your way through their support chain and tell them you have the msclock.exe virus, and want the fix for the newly discovered (3/22) variant of the SDbot.worm

    Jim

  2. Roger Watts

    A friend of mine just received this charming lil file / virus. I was able to clear it by using Xteq. ( Free tweaking pgm http://www.xteq.com/ )

    – After opening Xteq, I went into the Start-Up sequence (Auto-run sections 1 & 2), disabled all msclock.exe.
    – Deleted temp internet files, through IE6 Tools.
    – Rebooted.
    – Then I deleted the msclock.exe from System32 folder.

    Zone Alarm which had previously refused to load, now loaded. MS Taskmanager now loads without difficulty. AVG anti-virus runs without difficulty. All seems to run fine now. 🙂
    It should be noted that AVG apparently has yet to add this one to their virus database.

    Roger Watts

  3. virus dummy

    it hit me hard, i’m a nobody from nowhere, some lovely person on the internet told me how to get rid of it. eveytime i hit kazaa up for some downloading pleasure it reappears. p2p sucks. oh well, i’ll take it easy on the downloading from now on. how to i get it out of the registry. help on that is really needed.

  4. Jeff Schleede

    McAfee has found the virus and removes it in its latest update. I had it and couldnt get rid of it without McAfee.

  5. Mika

    eTrust EZ Antivirus Version 6.1.7.0
    Started scanning: 09:31:12, 05.04.2004
    Major dat file v4008
    Minor dat file v5356
    Macro data file Apr 2 2004 (VMD Ver 1.6)

    Scanning boot sectors…
    C:\ Master Boot Record matches template, is OK: standard Win95 OSR2.
    C:\ Partition Boot Record matches template, is OK: standard Win2000 (4).

    Scanning file(s)…
    C:\WINDOWS\SYSTEM32\Msclock.exe – Win32.Deebot.F worm. Deleted.

    Finished scanning: 09:31:15, 05.04.2004
    Number of files scanned: 1.
    Number of infections: 1
    Number of infected files deleted: 1

    So this happened to me with Msclock.exe, I don’t know anyoane else who got infected with it, at least I haven’t heard of it before this, but now I know what to do, thank to everyone in this site.

    Rgds Mika

  6. John

    As stated by a user before, this is a nasty little pain in the ass virus. Symantec has finally added it to it’s signatures, as I believe most other companies have as well.

    It will, however, come back if you have infected users on your network. You MUST make sure that you have an administrator password on all systems connected, or it will just come back.

    In order to totally kill it, we had to rename the msclock.exe file, and delete it from the registry. There are two registry entries that will reference MICROSOFT DIGITAL CLOCK and MSCLOCK.EXE.

    The are located in HKEY_LM, SOFTWARE, MICROSOFT, WINDOWS, CURRENT VERSION, RUN and RUN ONCE.

    Delete them all, and you can then get the proper virus signature to kill it for good.

Comments are closed.