A
Amjad
Perhaps a chronological narration of events would best
highlight a suspect occurrence (using a fully updated
Windows XP and IE6):
1. While viewing email, using web mail, clicked a link in
a spam message
to "http://www.cityvixens.co.uk/winxp.html".
2. As soon as the page downloaded, an error message
appeared to the effect that "fhamlcje.exe" failed to
start because "MSVCR70.dll" was not found. This was the
only alert to something having gone awry by visiting the
web site.
3. A local search for the .exe file revealed that a
subfolder "\rnbw" had been created
under "C:\WINDOWS\system32" containing the suspect file -
"fhamlcje.exe", 18,944 bytes. Both the folder and file
bore the same date/time stamp as the visit to the web
page - Sun 04 Jul 2004 11:08.
4. Logged off and on again - the same error message
reappeared except that the file name had changed
to "ikhjfmfm.exe". (The .exe file name changes at random
at each logon but its size and date/time stamp remains
the same as the very first.) This was an indication that
the suspect application starts at each logon.
5. Using startup monitors, "Autoruns" and "Starter",
found a Registry entry under User Run to the location of
the suspect file:
Key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersio
n\Run
Value: C:\WINDOWS\system32\rnbw\*.exe
(*.exe refers to the file which changes name at each
logon, as mentioned above.)
6. Located "winxp.html" in IE Cache, opened in Notepad,
found coded JavaScript.
7. Restored System to a Checkpoint prior to the visit to
cityvixens.co.uk which removed the subfolder "\rnbw", its
content and deleted the User Run Registry entry.
Q 1: Why is it that IE allows the surreptitious download
and install of the .exe file while it explicitly cautions
every time you intentionally download or open a file from
the Internet?
Q 2: In seeking to prevent a recurrence of such
incidents, I happened on this forum. Is the solution to
be found in Frank Saunders' response to topic "hijack
ware" Jul 9 2004 6:23 PM?
Notes:
1. A later local search for "MSVCR70.dll" found the .dll
in three locations:
C:\Windows\System32\URTTemp
C:\Windows\Microsoft.NET\Framework\v1.0.3705
C:\Program Files\Microsoft Office\Office11\VS Runtime
2. A copy each of the web page "winxp.html" and the *.exe
file have been saved in case a MVP wishes to investigate
this further.
highlight a suspect occurrence (using a fully updated
Windows XP and IE6):
1. While viewing email, using web mail, clicked a link in
a spam message
to "http://www.cityvixens.co.uk/winxp.html".
2. As soon as the page downloaded, an error message
appeared to the effect that "fhamlcje.exe" failed to
start because "MSVCR70.dll" was not found. This was the
only alert to something having gone awry by visiting the
web site.
3. A local search for the .exe file revealed that a
subfolder "\rnbw" had been created
under "C:\WINDOWS\system32" containing the suspect file -
"fhamlcje.exe", 18,944 bytes. Both the folder and file
bore the same date/time stamp as the visit to the web
page - Sun 04 Jul 2004 11:08.
4. Logged off and on again - the same error message
reappeared except that the file name had changed
to "ikhjfmfm.exe". (The .exe file name changes at random
at each logon but its size and date/time stamp remains
the same as the very first.) This was an indication that
the suspect application starts at each logon.
5. Using startup monitors, "Autoruns" and "Starter",
found a Registry entry under User Run to the location of
the suspect file:
Key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersio
n\Run
Value: C:\WINDOWS\system32\rnbw\*.exe
(*.exe refers to the file which changes name at each
logon, as mentioned above.)
6. Located "winxp.html" in IE Cache, opened in Notepad,
found coded JavaScript.
7. Restored System to a Checkpoint prior to the visit to
cityvixens.co.uk which removed the subfolder "\rnbw", its
content and deleted the User Run Registry entry.
Q 1: Why is it that IE allows the surreptitious download
and install of the .exe file while it explicitly cautions
every time you intentionally download or open a file from
the Internet?
Q 2: In seeking to prevent a recurrence of such
incidents, I happened on this forum. Is the solution to
be found in Frank Saunders' response to topic "hijack
ware" Jul 9 2004 6:23 PM?
Notes:
1. A later local search for "MSVCR70.dll" found the .dll
in three locations:
C:\Windows\System32\URTTemp
C:\Windows\Microsoft.NET\Framework\v1.0.3705
C:\Program Files\Microsoft Office\Office11\VS Runtime
2. A copy each of the web page "winxp.html" and the *.exe
file have been saved in case a MVP wishes to investigate
this further.