[Dshield] Trojan-like behavior
russ.washington at vaultsentry.com
Fri Oct 25 17:43:28 GMT 2002
Haven't heard of these myself. Adaware doesn't catch friendlygreetings
either, but this is no surprise since it only started getting written up
yesterday. Sounds like the same class of trojan though.
Given the AV companies' apparent ambivalence on this, I suspect we're going
to see a lot more of these before it gets better. :(
From: Bob Savage [mailto:bsavage at rnr-inc.com]
Sent: Friday, October 25, 2002 9:11 AM
To: list at dshield.org
Subject: [Dshield] Trojan-like behavior
The discussion on "Friendly Greeting" reminds me of something I found on a
family members' machine a few weeks ago.
Do any of these names mean anything to anybody in this group?
I was asked to check the machine because the user was getting undeliverable
notices on emails he hadn't sent. I discovered spoinggg.exe trying to
access the internet. Notes in the object properties said it was from
"agobot". Icon beside the file appeared to be a cartoon devil.
Subsequently found sysldr32.exe, same icon, same file size, property note.
Both files were in WINNT\System32\. Frankly, "sysldr32" sounds official
enough that I was a little hesitent to take a hammer to it. Googled all
three of these names, also searched the MS Knowledge Base and several
anti-virus sites, all unsuccessfully. Turned up nothing.
None of this stuff showed up in "Add/Remove Programs". AdAware and Trend
Micro didn't care about them. Sysldr32 was running as a service and I had a
hard time getting it stopped and deleted. Spoinggg was a
little easier. Also found numerous registry references to sysldr32.
User has had no further problem and says there has been no adverse result
from deleting these programs. Incidentally, the operating system
(W2K) is fully patched and the anti-virus software is up-to-date. I know
because I did all that myself.
Beyond that I couldn't figure out anything. Anybody seen these or anything
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
More information about the list