| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: randallm at fidmail.com (RMueller) Subject: Re: Full-Disclosure digest, Vol 1 #1939 - 2 msgs hi, First, there are no files there on the upload site. Second, it sucks to be you right now! :) I googled and searched for everything I could think of and found nothing. Do you have anything that will let you know if a program attempt to connect out??? --__--__-- Message: 2 Date: Wed, 29 Sep 2004 17:37:28 +0200 From: "eNs!feRuM*" <ensiferum@...peed.ch> To: full-disclosure@...ts.netsys.com Subject: [Full-Disclosure] Spyware? Worm? Trojan? "face license free bait" Hello the list ! I found something VERY VERY STRANGE on my computer last evening... While looking for spywares on my computer using HijackThis, I saw this strange line : O4 - HKLM\..\Run: [Free Bait Cool Dash] C:\Documents and Settings\All Users\Application Data\face license free bait\GREYSEND.exe Here is the content of "face license free bait" : - a locked file (unable to delete it!!) called "locksadminbash", size : 3536, crc32 : 6A65964A, set as "system file" and of type "Driver" (how could an extension-less file be recognized by Windows as a "driver" ?!?!) - two locked programs called "GREYSEND.EXE" and "METAPOLL.EXE", same size : 272966, same crc32 : 70370FFB Yesterday evening, when I first saw this directory, there was another file called "HOLE NAME.EXE" in the same directory (and METAPOLL), same size, and I could delete it. While writing this lines I found two another shit directories :'( C:\PROGRA~1\Corn Internet Soft Filename Size CRC-32 C5EDFC35 1060 92EE5B2C [set as system files] cemaylou.exe 272966 70370FFB (other name it has taken : nxkkxpjy.exe, greyend.exe, metapoll.exe) HOLE NAME.exe 240663 A2325E7C logduperoad.exe 9970 25C7A91D seek barb regs win.exe 47616 D41BE72E (other name it has taken : batbodypokeextra.exe) C:\PROGRA~1\upload admin bind Filename Size CRC-32 DELETE PLAY.exe 15526 95665A33 And I'm unable to delete any of these files !! They are not displayed in taskmgr, and : -- PsKill v1.03 - local and remote process killer Copyright (C) 2000 Mark Russinovich http://www.sysinternals.com Unable to kill process cemaylou.exe: Process does not exist. -- I've tried to sniff all these exe names using tools from SysInternals but I can't find any of these o_o !! Here is a list of all the word-parts that this "thing" uses" : face, license, free, bait, grey, send, locks, admin, bash, meta, poll, hole, name, cemaylou (single word?), log, dupe, road, seek, barb, regs, win, upload, bind, delete, play, corn, internet, soft, cool, dash, bat, body, poke, extra. What the hell is going on on my computer ?? Is Big Brother watching me ? =) I've uploaded these files on: http://swun.free/helpplease/ Thank you very much indeed for your help.. and sorry for my really bad english. ++ eNs!feRuM* --__--__-- thanks Randall ___________________________________________________________ Fidelity Communications Webmail - http://webmail.fidnet.com
Powered by blists - more mailing lists