hi,
First, there are no files there on the upload site. Second, it sucks to be
you right now! :) I googled and searched for everything I could think of and
found nothing. Do you have anything that will let you know if a program
attempt to connect out???
--__--__--
Message: 2
Date: Wed, 29 Sep 2004 17:37:28 +0200
From: "eNs!feRuM*" <ensiferum@hispeed.ch>
To: full-disclosure@lists.netsys.com
Subject: [Full-Disclosure] Spyware? Worm? Trojan? "face license free bait"
Hello the list !
I found something VERY VERY STRANGE on my computer last evening...
While looking for spywares on my computer using HijackThis, I saw this
strange line :
O4 - HKLM\..\Run: [Free Bait Cool Dash] C:\Documents and Settings\All
Users\Application Data\face license free bait\GREYSEND.exe
Here is the content of "face license free bait" :
- a locked file (unable to delete it!!) called "locksadminbash", size :
3536, crc32 : 6A65964A, set as "system file" and of type "Driver" (how
could an extension-less file be recognized by Windows as a "driver" ?!?!)
- two locked programs called "GREYSEND.EXE" and "METAPOLL.EXE", same
size : 272966, same crc32 : 70370FFB
Yesterday evening, when I first saw this directory, there was another
file called "HOLE NAME.EXE" in the same directory (and METAPOLL), same
size, and I could delete it.
While writing this lines I found two another shit directories :'(
C:\PROGRA~1\Corn Internet Soft
Filename Size CRC-32
C5EDFC35 1060 92EE5B2C [set as system files]
cemaylou.exe 272966 70370FFB (other name it has taken :
nxkkxpjy.exe, greyend.exe, metapoll.exe)
HOLE NAME.exe 240663 A2325E7C
logduperoad.exe 9970 25C7A91D
seek barb regs win.exe 47616 D41BE72E (other name it has taken :
batbodypokeextra.exe)
C:\PROGRA~1\upload admin bind
Filename Size CRC-32
DELETE PLAY.exe 15526 95665A33
And I'm unable to delete any of these files !! They are not displayed in
taskmgr, and :
--
PsKill v1.03 - local and remote process killer
Copyright (C) 2000 Mark Russinovich
http://www.sysinternals.com
Unable to kill process cemaylou.exe:
Process does not exist.
--
I've tried to sniff all these exe names using tools from SysInternals
but I can't find any of these o_o !!
Here is a list of all the word-parts that this "thing" uses" :
face, license, free, bait, grey, send, locks, admin, bash, meta, poll,
hole, name, cemaylou (single word?), log, dupe, road, seek, barb, regs,
win, upload, bind, delete, play, corn, internet, soft, cool, dash, bat,
body, poke, extra.
What the hell is going on on my computer ?? Is Big Brother watching me ? =)
I've uploaded these files on:
http://swun.free/helpplease/
Thank you very much indeed for your help.. and sorry for my really bad
english.
++ eNs!feRuM*
--__--__--
thanks
Randall
___________________________________________________________
Fidelity Communications Webmail - http://webmail.fidnet.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
