[Dshield] Trojan-like behavior

Bob Savage bsavage at rnr-inc.com
Fri Oct 25 19:26:12 GMT 2002


Hmmm.  Well, they're both executables (.exe).  Normally I'd never
hesitate to try to open anything with a text reader but I don't think it
occurred to me this time.  I'll look and let you know!

-----Original Message-----
From: John Hardin [mailto:johnh at aproposretail.com]
Sent: Friday, October 25, 2002 1:42 PM
To: DShield mailing list
Subject: Re: [Dshield] Trojan-like behavior


On Fri, 2002-10-25 at 09:10, Bob Savage wrote:
> I was asked to check the machine because the user was getting
> undeliverable notices on emails he hadn't sent.  I discovered
> spoinggg.exe trying to access the internet.  Notes in the object
> properties said it was from "agobot".  Icon beside the file appeared
to
> be a cartoon devil.  Subsequently found sysldr32.exe, same icon, same
> file size, property note.  Both files were in WINNT\System32\.
Frankly,
> "sysldr32" sounds official enough that I was a little hesitent to take
a
> hammer to it.  Googled all three of these names, also searched the MS
> Knowledge Base and several anti-virus sites, all unsuccessfully.
Turned
> up nothing.

Fascinating. Any readable text strings in those files?

-- 
John Hardin  KA7OHZ                           <johnh at aproposretail.com>
Internal Systems Administrator                    voice: (425) 672-1304
Apropos Retail Management Systems, Inc.             fax: (425) 672-0192
-----------------------------------------------------------------------
 ...people confuse "security" and "Trustworthy Computing."
                                 - Craig Mundie, MS Senior VP and CTO
-----------------------------------------------------------------------
 2 days until Daylight Savings Time ends

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list