Security Basics mailing list archives

Re: aretzj.exe -- reappearing unknown system file

From: Dave C <davec () digistruction com>
Date: Mon, 30 May 2005 20:09:26 -0400

Couple of things I can think of right off the bat that you did not state..

1) Are there any unknown/unfamiliar programs installed?
(customers are known to want those fancy screensavers that contain spyware)

2) Have you tried any of the reputable spyware scanners?

3) You did not say what version of ZA they have. Their site has anonline Spyware detector - did you use it?


I have resonable rates for consulting...   ;-)

Kevin Snively wrote:

I've come across, on a client's machine, a reappearing / self propogating
read only system file. The box is running a copy of XP pro fully patched.

c:\windows\system32\aretzj.exe

When Internet explorer is brought up this program (aretzj.exe) asks for
internet access via ZoneAlarm. When deleted it reappears at bootup and even
if the computer has not been restarted.

I can not find any reference in Technet or any of the search engines. It is
read only and when deleted the XP claims it is a system file. I tried about
20+ search engines. One mentioned a Name an author of a book published in
1935 - author ha'aretz (without the "j").


What I have done to try and identify the source:

1. looked for other "unknown" files inside of system32, including checking
dates of files such as the KERNEL and KERNEL32 and looked for "suspicious"
files. No results except aretzj.exe

2. cleaned out the [prefetch] folder (no positive results)

3. [Downloaded prgram files] is and was empty

4. Checked c:\program files\internet explorer
Looked for suspicous or unknown folders in common files.

5 Spent an almost inordinate amoutn of time poking around in general looking
for clues, identifying plugins, checking system and hidden folders to no
avail.

I am not sure what it is but as I renamed the file to a .txt extension and
read through the "readable" portion of the binary file hoping for some hook
on identifying it.

At this point I am concerned as it is "unidentifable" the terminology inside
the binary file might be construed with "data mining" and the client does
run propriatary databases - Oh Yes, and I have checked with the vendor of
the clients database software. They tell me nothing is stored on the PC nor
is anything except a browser required to view the database.

We are now using firefox but the unknown file continues to reappear.  The
only solution I have come up with is to wipe everything reinstall and
restore actual data from a backup.

Any  help or suggestions will be greatly appreciated.
Or has anyone run across this culprit?

Sincerely,
Kevin Snively

The HelpDesk Inc ®
kevin () thehelpdeskinc com
615-781-1922 (office)
615-582-0877 (Mobile)

Current thread:

help , scripting for security AMOL (May 26)
- Re: help , scripting for security Gonzalo Martinez (May 26)
- Re: help , scripting for security Joe Topjian (May 27)
  - aretzj.exe -- reappearing unknown system file Kevin Snively (May 30)
    - Re: aretzj.exe -- reappearing unknown system file Dave C (May 31)
    - Re: aretzj.exe -- reappearing unknown system file Michael Painter (May 31)
    - Re: aretzj.exe -- reappearing unknown system file systemcracker (May 31)
    - Re: aretzj.exe -- reappearing unknown system file Jonathan Glass (May 31)
- Re: help , scripting for security Justin_Andrusk (May 27)
- <Possible follow-ups>
- RE: help , scripting for security Smith, Ryan (May 27)