Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Ph0t0Sh0p.exe

From: Andrew Watson <Andrew.Watson () COLORADOCOLLEGE EDU>
Date: Mon, 13 Sep 2004 17:08:26 -0600
We have had two student systems show up on campus displaying Nachi/Welchia
activity (caught by our MS-RPCDCOM filter 2289 on tipping point).  After
we got our hands on the systems, none of our standard cleaning tools or AV
software were successful at finding any problems.  The only thing that we
could find out of the ordinary was a single program, Ph0t0Sh0p.exe, that
looked suspicious.  It constantly takes about 70% CPU on both systems, and
will trigger over 3000 alerts per hour on tipping point if connected to
the network.  I am going to have the students wipe the machines and
re-install, I was curious to find out if anyone on this list had seen this
type of activity?  We have tried Symantec AV, Blaster/Nachi/Welchia
cleaning utilities, spybot, and adaware with no success. 

 

Any advice would be greatly appreciated.

 

Sincerely,

 

 

Andrew Watson

Sr. Systems Administrator

The Colorado College

14 E. Cache La Poudre St.

Armstrong Hall, 1A

Colorado Springs, CO 80903

Phone: 719-389-6733

Fax: 719-389-6733

 


**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.
Previous By Date Next
Previous By Thread Next

Current thread: