Re: strange windows behaviour.

[Derek <infosec_guy2003 () yahoo com>]

Spybot Search & Destroy is a good tool to use in
addition to your AV scanner to seek out adware,
spyware, and other obnoxious spewing stuff.  Note that
it may also nail Windows Media Player as spyware.
[at http://www.safer-networking.org/]

Derek

> -----Original Message-----
> From: John Sage [mailto:jsage () finchhaven com] 
> Sent: Tuesday, October 07, 2003 10:04 AM
> To: Peter Moody
> Cc: incidents () securityfocus com
> Subject: Re: strange windows behaviour.
>
>
> Peter:
>
> On Mon, Oct 06, 2003 at 01:05:13PM -0700, Peter
> Moody wrote:
> > Hello all,
> >
> > I've got a bit of a problem, and I was wondering
> if anyone on this 
> > list has seen similar things.  Recently, we've
> been having student 
> > windows machines on our residential network begin
> spewing large, 
> > massive (on the order of hundreds of thousands in
> a few hours) spam 
> > messages at our mail servers.  We promptly
> disconnect the machines and
>
> > head down to do some forensic work on the boxes
> when we get a chance 
> > (usually after they call to complain that the
> internet has died).
> > I've been trying to find information on this, but
> the most I've been 
> > able to come up with is an advisory from
> symantec's threat management 
> > system saying Mprox (some sort of MS proxy) is to
> blame.  None of the 
> > machines I've gone and examined have had this
> program running or on 
> > the system anywhere for that matter.
> >
> > Has anyone else had similar problems of late? 
> This all started for us
>
> > about a week ago and it's showing no signs of
> going away any time 
> > soon.
>
> You may be interested in this 09/06/03 post to the
> UNISOG maillist
> (unisog () sans org):
>
> /* begin post fragment */
>
> From: Paul Russell <prussell () nd edu>
> To: unisog () sans org
> Subject: [unisog] Spam from student-owned computers
> Date: Mon, 06 Oct 2003 15:51:12 -0500
>
> In the past ten days, we have had five incidents in
> which student-owned
> computers in our residence hall network (ResNet)
> were used to send large
> quantities of spam. I have seen similar reports from
> other sites, so I
> thought some of you might be interested our
> experience. Appended below
> are the case notes from one of these incidents. The
> report has been
> edited to remove all personal identification
> information. The analysis
> of the student's workstation was performed by a
> member of our
> Information Security team. 
>
> --
> Paul Russell
> Senior Systems Administrator
> University of Notre Dame


__________________________________
Do you Yahoo!?
The New Yahoo! Shopping - with improved product search
http://shopping.yahoo.com

---------------------------------------------------------------------------
----------------------------------------------------------------------------