July 21, 2004

wucmdex.exe, zsxtr.exe

Filed under: digital — mhoye @ 12:02 pm

Another day, another completely undocumented windows worm. Has any legitimate traffic ever happened on port 445? I doubt it. This week’s culprits are the barely-heard-of wucmdex.exe and the completely-unknown zsxtr.exe.

If your computer starts “acting funny”, Mcafee won’t run and so forth, well, here you are. If you can’t even call up the task manager, that’s an artefact of the zsxtr.exe infection.

I’ll have more information on this soon, and I’ll put together another document on the fixes for these bastards, but for now I suggest you apply the following procedure, that might as well be called the ANSI Standard Windows Fix: log in to safe mode with command prompt, as administrator, delete the file and hand-scrub the registry, P.S. hope you got everything. In this case, like so:

  1. Reboot the machine and hit F8 as soon as it POSTs.
  2. Choose “Safe Mode With Command Prompt”.
  3. Log in with an admin-privileged account.
  4. At the command prompt, do this:
    cd c:\windows\system32
    attrib -s -h -r wucmdex.exe
    attrib -s -h -r zsxtr.exe
    del wucmdex.exe
    del zsxtr.exe
  5. Run regedit, search for both of those filenames and delete any registry entries you find with them in it. On my machine, zsxtr.exe appears under a folder called “Krypton” which I’ve also deleted. There’s an associated file hidden in c:\windows\system32 called sys16.exe, which you should also unhide and remove.
  6. Reboot, hit F8, choose “safe mode with networking” and do a full Windows Update.

I should add here that it’s a good idea as a general practice to turn “System Recovery” off and to have all of these security updates on a burned CD. That last step, the Windows Update part, is just a race against time.

More news as it develops. Again, I’m grateful for any information people want to add to this. Please email me or leave a comment below.

This entry was last updated 1:00 PM EST, July 21/04


  1. My, my, my, you are a busy guy. Hope that you caught a rare and not so virulent bug in the wild – a curio of sorts – and not a new bad mofo. It’s hard to tell how things are going with the lack of feedback…

    good luck!

    Comment by Colin Richards — July 21, 2004 @ 10:10 pm

  2. God, here’s hoping. The problem is that Carleton’s system architecture is so antiquated and so thoroughly baroqued it’s almost impossible to track down everything that needs to be fixed. It’s like trying to repel boarders from a fractal.

    Comment by Mike Hoye — July 21, 2004 @ 11:04 pm

  3. Oh, it gets better. It looks like that zsxtr.exe thing actually gives itself a random five-letter name on every machine. And then claims that it’s Windows Media Player. Awesome.

    Christ, I hate windows.

    Comment by Mike Hoye — July 23, 2004 @ 3:48 pm

  4. We had some fun with wucmdex.exe (completely-unknown at that time) in our university network. The variant we found is by now detected by McAfee as BackDoor-CGS.
    AFAIK all the affected machines were missing security patches, notably MS04-011 and MS04-012.

    Comment by Wolfgang Ratzka — July 24, 2004 @ 10:00 am

  5. It’s good to know that McAfee is picking it up now. Thanks, Wolfgang.

    Comment by Mike Hoye — July 24, 2004 @ 10:20 am

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress