[dshield] Re: [Dshield] Guru Help Please.

R Shady RShady at stny.rr.com
Sun Aug 24 20:29:29 GMT 2003


Probably one of the best is SpyBot S&D here:

http://spybot.eon.net.au/index.php?lang=en&page=bots

Be careful when you use it though - it lists windows files also.
Read the help files carefully.

Wayne Jr wrote:
> Is there anyway to tell if there is a keylogger program running (or 
> on your computer)?
> Thanks,
> Wayne Jr
> 
> 
> On Sun, 24 Aug 2003 12:10:50 -0600, Chris Ream wrote:
> 
>>Hi All,
>>
>>I'm not quite sure what to do with something I'm working on so I
>>thought
>>I would put it out to the group to see if you bright folks can help
>>me.
>>
>>Using filemon I discovered that an application calling itself
>>BEFC.EXE
>>is running out of my startup folder. It seems to be a keystroke
>>logger
>>because it's writing temp files when I do things like send email,
>>write
>>to notepad etc...
>>
>>I am proficient in assembly and wish to disassemble it and see
>>exactly
>>what it's doing however, it's packed with upx. I tried decompressing
>>it
>>with the latest version of upx but it gives me a checksum error and
>>wont
>>decompress the file. The weird thing is that it obviously
>>decompresses
>>itself when it runs.
>>
>>I am thinking that the virus writer intentionally modified the
>>checksum
>>so it would be harder to un-upx and disassemble. This thing is scary
>>it's making calls to winsock.
>>
>>Has anyone dealt with this type of situation before? If so, help me
>>out
>>here.
>>
>>Thanks
>>
>>Chris.
>>
>>
>>_______________________________________________
>>list mailing list
>>list at dshield.org
>>To change your subscription options (or unsubscribe), see:
>>http://www.dshield.org/mailman/listinfo/list
>>----------------------------------------------------
>>This message has been processed by Firetrust Benign.
> 
> 
> 
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
> 





More information about the list mailing list