[Dshield] Trojan-like behavior
drxlecter at phreaker.net
Fri Oct 25 18:46:19 GMT 2002
This person is infected with an IRC bot. See
AIM - absolutxpsycho
Yahoo! - absolut_contagion
ICQ - 1363187
MSN - r00t at creighton.edu
-----BEGIN GEEK CODE BLOCK-----
GSS d-- s: a-- C++ UL++++ P+ L+ E W++ N+ o-- K- w+
O-- M V-- PS++ PE Y+ PGP- t-- 5-- X++ R- tv+ b+++ DI D+
G e* h- r++ x+
------END GEEK CODE BLOCK------
From: list-admin at dshield.org [mailto:list-admin at dshield.org] On Behalf
Of Bob Savage
Sent: Friday, October 25, 2002 11:11 AM
To: list at dshield.org
Subject: [Dshield] Trojan-like behavior
The discussion on "Friendly Greeting" reminds me of something I found on
a family members' machine a few weeks ago.
Do any of these names mean anything to anybody in this group?
I was asked to check the machine because the user was getting
undeliverable notices on emails he hadn't sent. I discovered
spoinggg.exe trying to access the internet. Notes in the object
properties said it was from "agobot". Icon beside the file appeared to
be a cartoon devil. Subsequently found sysldr32.exe, same icon, same
file size, property note. Both files were in WINNT\System32\. Frankly,
"sysldr32" sounds official enough that I was a little hesitent to take a
hammer to it. Googled all three of these names, also searched the MS
Knowledge Base and several anti-virus sites, all unsuccessfully. Turned
None of this stuff showed up in "Add/Remove Programs". AdAware and
Trend Micro didn't care about them. Sysldr32 was running as a service
and I had a hard time getting it stopped and deleted. Spoinggg was a
little easier. Also found numerous registry references to sysldr32.
User has had no further problem and says there has been no adverse
result from deleting these programs. Incidentally, the operating system
(W2K) is fully patched and the anti-virus software is up-to-date. I
know because I did all that myself.
Beyond that I couldn't figure out anything. Anybody seen these or
anything like this?
More information about the list