G
Govert J. Knopper
I found something.
In the proxy logs I saw that a PC in the network contacts the sites
"outerinfo" and "clickspring" when Windows starts up.
Some .bin files are downloaded.
I checked the PC and found a suspicious process "0ttrib.exe" was running; I
found no file with that name on the PC.
In HKCU\software\Microsoft\Windows\Currentversion\Run "attrib.exe" is run at
start up.
This file "attrib.exe" is located in C:\WINNT\System32 and attributes
hidden, read only and system are set; it is about 380 kB; the first
character looks like a normal "a", but it isn't. This is why it can co-exist
in the same folder with the innocent "attrib.exe" command line tool.
Sad enough, Sophos doesn't detect it, nor do Adaware and Spybot.
Obviously the sites that it contacted are blocked now in the proxy and the
malware is neutralized.
I still wonder: could a spammer have collected e-mailadresses this way?
Govert
In the proxy logs I saw that a PC in the network contacts the sites
"outerinfo" and "clickspring" when Windows starts up.
Some .bin files are downloaded.
I checked the PC and found a suspicious process "0ttrib.exe" was running; I
found no file with that name on the PC.
In HKCU\software\Microsoft\Windows\Currentversion\Run "attrib.exe" is run at
start up.
This file "attrib.exe" is located in C:\WINNT\System32 and attributes
hidden, read only and system are set; it is about 380 kB; the first
character looks like a normal "a", but it isn't. This is why it can co-exist
in the same folder with the innocent "attrib.exe" command line tool.
Sad enough, Sophos doesn't detect it, nor do Adaware and Spybot.
Obviously the sites that it contacted are blocked now in the proxy and the
malware is neutralized.
I still wonder: could a spammer have collected e-mailadresses this way?
Govert