[Dshield] Trojan-like behavior

John Hardin johnh at aproposretail.com
Fri Oct 25 18:42:10 GMT 2002


On Fri, 2002-10-25 at 09:10, Bob Savage wrote:
> I was asked to check the machine because the user was getting
> undeliverable notices on emails he hadn't sent.  I discovered
> spoinggg.exe trying to access the internet.  Notes in the object
> properties said it was from "agobot".  Icon beside the file appeared to
> be a cartoon devil.  Subsequently found sysldr32.exe, same icon, same
> file size, property note.  Both files were in WINNT\System32\.  Frankly,
> "sysldr32" sounds official enough that I was a little hesitent to take a
> hammer to it.  Googled all three of these names, also searched the MS
> Knowledge Base and several anti-virus sites, all unsuccessfully.  Turned
> up nothing.

Fascinating. Any readable text strings in those files?

-- 
John Hardin  KA7OHZ                           <johnh at aproposretail.com>
Internal Systems Administrator                    voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
-----------------------------------------------------------------------
 ...people confuse "security" and "Trustworthy Computing."
                                 - Craig Mundie, MS Senior VP and CTO
-----------------------------------------------------------------------
 2 days until Daylight Savings Time ends




More information about the list mailing list