|
Posted by Jim Watt on April 17, 2006, 10:09 am
If you were Registered and logged in, you could reply and use other advanced thread options
I have a machine running server/2000 which had/has some sort of
malware on it. Running the usual programs does not remove it
however inspecting the processes running with the excellent tool
from Sysinternals shows a process called
ntserv.exe
Which is started by a registry key and hides in a directory
under the system of
controlp.
The program seems to want to set up a connection to an
external IP on port 6667.
Killing the process and removing the key disables it, however
it raises the issue of the way it hides from the anti-malware
software and me.
Its not a recent thing, as its been on the system for around six
months and was only really a problem when it was re-booted
which is infrequently. However time to get to bottom of it ...
In view of their excellent software being free, I bought the
book.
BUT WAIT ... theres more
Immediately after receiving a confirmation email from
Amazon, I got a phishing email. claiming to be them
is this magic or co-incidence?
Its a wicked world out there.
--
Jim Watt
http://www.gibnet.com
|
|
Posted by David H. Lipman on April 17, 2006, 6:44 pm
If you were Registered and logged in, you could reply and use other advanced thread options
| I have a machine running server/2000 which had/has some sort of
| malware on it. Running the usual programs does not remove it
| however inspecting the processes running with the excellent tool
| from Sysinternals shows a process called
|
| ntserv.exe
|
| Which is started by a registry key and hides in a directory
| under the system of
|
| controlp.
|
| The program seems to want to set up a connection to an
| external IP on port 6667.
|
| Killing the process and removing the key disables it, however
| it raises the issue of the way it hides from the anti-malware
| software and me.
|
| Its not a recent thing, as its been on the system for around six
| months and was only really a problem when it was re-booted
| which is infrequently. However time to get to bottom of it ...
|
| In view of their excellent software being free, I bought the
| book.
|
| BUT WAIT ... theres more
|
| Immediately after receiving a confirmation email from
| Amazon, I got a phishing email. claiming to be them
| is this magic or co-incidence?
|
| Its a wicked world out there.
Sounds like an W32/IRCBot. A multi-library search for "ntserv.exe" found
nothing but any
infector can be called anything.
Please submit a sample of "ntserv.exe" to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition,
unless told
otherwise, Virus Total will provide the sample to all participating vendors.
You can also submit a suspect, one at a time, via the following email URL...
mailto:scan@virustotal.com?subject=SCAN
When you get the report, please post back the exact results.
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
|
|
Posted by Jim Watt on April 18, 2006, 4:15 am
If you were Registered and logged in, you could reply and use other advanced thread options
>Please submit a sample of "ntserv.exe" to Virus Total --
Indeed theres the problem - I can't access the directory
although I know its there.
It no longer runs because the registry key has been
deleted, (after making a copy)
--
Jim Watt
http://www.gibnet.com
|
|
Posted by donnie on April 17, 2006, 6:50 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>BUT WAIT ... theres more
>
>Immediately after receiving a confirmation email from
>Amazon, I got a phishing email. claiming to be them
>is this magic or co-incidence?
>
>Its a wicked world out there.
>--
#########################################
That's funny and no, it's propably not a coincidence.
|
|
Posted by Jim Watt on April 18, 2006, 4:23 am
If you were Registered and logged in, you could reply and use other advanced thread options
>wrote:
>
>>BUT WAIT ... theres more
>>
>>Immediately after receiving a confirmation email from
>>Amazon, I got a phishing email. claiming to be them
>>is this magic or co-incidence?
>>
>>Its a wicked world out there.
>>--
>#########################################
>That's funny and no, it's propably not a coincidence.
Thats what I think.
There are three possibilities
1. sheer co-incidence
2. I have a problem
3. They have a problem
If one rules out 1 on the basis that its the first amazon phising
attempt I've seen, it raises the question of how an external
process has knowledge that I have just placed an order.
The response from them was prompt but the usual blurb one
gets on reporting these things.
--
Jim Watt
http://www.gibnet.com
|
| Similar Threads | Posted | | Hidden spam links injected into web pages | December 1, 2006, 7:10 am |
| The Hidden Wiki is Gone ... so do I have to join a mailing list? | June 8, 2007, 6:07 am |
| Hidden-code flaw in Windows renews worries over stealthly malware | September 1, 2005, 12:40 am |
| Charset Files | June 21, 2005, 12:39 pm |
| mystery files | February 15, 2006, 3:15 pm |
| deleted files | November 14, 2006, 2:33 am |
| Detection within Installation files | September 27, 2005, 8:09 pm |
| Change in system files | October 2, 2005, 3:13 pm |
| Symantec and the number of files | October 20, 2005, 4:42 pm |
| Is there a danger opening WMV files in XP? | May 11, 2006, 6:52 am |
|
XML site map