[unisog] Super-hidden spamming exploits?

Martin Sapsed m.sapsed at bangor.ac.uk
Tue Sep 30 13:28:12 GMT 2003


(catching up on a backlog of mail...)

Rita Seplowitz Saltz wrote:
> Greetings.
> 
> We've seen a number of student-owned MS Windows machines exploited by 
> spammers, even after the "usual suspects" have been addressed 
> (administrator password, backdoors, remote code, spyware, assorted 
> viruses) and the systems are believed to have been locked down securely.
> 
> Has anyone else seen this kind of thing?  And, if so,  have you any 
> helpful insights to offer?

We saw a machine a little while back which was smtp'ing to its heart's 
content. Turned out an executable called winmgrsvc2.exe had installed 
itself, I guess via a nasty webpage/hole in IE. Further diagnosis was 
complicated by the fact that the machine was running a Korean version of 
Windows! I sent a copy to Sophos and they produced this ide to detect it...

http://www.sophos.com/virusinfo/analyses/trojneosma.html

Hope this is of some use to someone!

Cheers,

Martin

-- 
Martin Sapsed				
Information Services               "Who do you say I am?"
University of Wales, Bangor             Jesus of Nazareth



More information about the unisog mailing list