[Dshield] Trojan-like behavior

Bob Savage bsavage at rnr-inc.com
Fri Oct 25 16:10:56 GMT 2002


The discussion on "Friendly Greeting" reminds me of something I found on
a family members' machine a few weeks ago.

Do any of these names mean anything to anybody in this group?

	agobot
	sysldr32.exe
	spoinggg.exe

I was asked to check the machine because the user was getting
undeliverable notices on emails he hadn't sent.  I discovered
spoinggg.exe trying to access the internet.  Notes in the object
properties said it was from "agobot".  Icon beside the file appeared to
be a cartoon devil.  Subsequently found sysldr32.exe, same icon, same
file size, property note.  Both files were in WINNT\System32\.  Frankly,
"sysldr32" sounds official enough that I was a little hesitent to take a
hammer to it.  Googled all three of these names, also searched the MS
Knowledge Base and several anti-virus sites, all unsuccessfully.  Turned
up nothing.

None of this stuff showed up in "Add/Remove Programs".  AdAware and
Trend Micro didn't care about them.  Sysldr32 was running as a service
and I had a hard time getting it stopped and deleted.  Spoinggg was a
little easier.   Also found numerous registry references to sysldr32.
User has had no further problem and says there has been no adverse
result from deleting these programs.  Incidentally, the operating system
(W2K) is fully patched and the anti-virus software is up-to-date.  I
know because I did all that myself.

Beyond that I couldn't figure out anything.  Anybody seen these or
anything like this?


Bob Savage




More information about the list mailing list