Educause Security Discussion mailing list archives
Ph0t0Sh0p.exe
From: Andrew Watson <Andrew.Watson () COLORADOCOLLEGE EDU>
Date: Mon, 13 Sep 2004 17:08:26 -0600
We have had two student systems show up on campus displaying Nachi/Welchia activity (caught by our MS-RPCDCOM filter 2289 on tipping point). After we got our hands on the systems, none of our standard cleaning tools or AV software were successful at finding any problems. The only thing that we could find out of the ordinary was a single program, Ph0t0Sh0p.exe, that looked suspicious. It constantly takes about 70% CPU on both systems, and will trigger over 3000 alerts per hour on tipping point if connected to the network. I am going to have the students wipe the machines and re-install, I was curious to find out if anyone on this list had seen this type of activity? We have tried Symantec AV, Blaster/Nachi/Welchia cleaning utilities, spybot, and adaware with no success. Any advice would be greatly appreciated. Sincerely, Andrew Watson Sr. Systems Administrator The Colorado College 14 E. Cache La Poudre St. Armstrong Hall, 1A Colorado Springs, CO 80903 Phone: 719-389-6733 Fax: 719-389-6733 ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Ph0t0Sh0p.exe Andrew Watson (Sep 13)
- <Possible follow-ups>
- Re: Ph0t0Sh0p.exe Gaby (Sep 14)
- Re: Ph0t0Sh0p.exe Lucas, Bryan (Sep 14)
- Re: Ph0t0Sh0p.exe Andrew Watson (Sep 15)