Re: Ph0t0Sh0p.exe

["Lucas, Bryan" <b.lucas () TCU EDU>]

Did you look at ADS?
 
 
Bryan Lucas
Lead Server Administrator
Texas Christian University
(817) 257-6971

        -----Original Message-----
        From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Andrew Watson
        Sent: Monday, September 13, 2004 6:08 PM
        To: SECURITY () LISTSERV EDUCAUSE EDU
        Subject: [SECURITY] Ph0t0Sh0p.exe
        
        

        We have had two student systems show up on campus displaying
Nachi/Welchia activity (caught by our MS-RPCDCOM filter 2289 on tipping
point).  After we got our hands on the systems, none of our standard
cleaning tools or AV software were successful at finding any problems.
The only thing that we could find out of the ordinary was a single
program, Ph0t0Sh0p.exe, that looked suspicious.  It constantly takes
about 70% CPU on both systems, and will trigger over 3000 alerts per
hour on tipping point if connected to the network.  I am going to have
the students wipe the machines and re-install, I was curious to find out
if anyone on this list had seen this type of activity?  We have tried
Symantec AV, Blaster/Nachi/Welchia cleaning utilities, spybot, and
adaware with no success. 

         

        Any advice would be greatly appreciated.

         

        Sincerely,

         

         

        Andrew Watson

        Sr. Systems Administrator

        The Colorado College

        14 E. Cache La Poudre St.

        Armstrong Hall, 1A

        Colorado Springs, CO 80903

        Phone: 719-389-6733

        Fax: 719-389-6733

         

        ********** Participation and subscription information for this
EDUCAUSE Discussion Group discussion list can be found at
http://www.educause.edu/cg/. 


**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.