Full Disclosure mailing list archives
Spyware? Worm? Trojan? "face license free bait"
From: "eNs!feRuM*" <ensiferum () hispeed ch>
Date: Wed, 29 Sep 2004 17:37:28 +0200
Hello the list ! I found something VERY VERY STRANGE on my computer last evening...While looking for spywares on my computer using HijackThis, I saw this strange line :
O4 - HKLM\..\Run: [Free Bait Cool Dash] C:\Documents and Settings\All Users\Application Data\face license free bait\GREYSEND.exe
Here is the content of "face license free bait" :- a locked file (unable to delete it!!) called "locksadminbash", size : 3536, crc32 : 6A65964A, set as "system file" and of type "Driver" (how could an extension-less file be recognized by Windows as a "driver" ?!?!) - two locked programs called "GREYSEND.EXE" and "METAPOLL.EXE", same size : 272966, same crc32 : 70370FFB
Yesterday evening, when I first saw this directory, there was another file called "HOLE NAME.EXE" in the same directory (and METAPOLL), same size, and I could delete it.
While writing this lines I found two another shit directories :'( C:\PROGRA~1\Corn Internet Soft Filename Size CRC-32 C5EDFC35 1060 92EE5B2C [set as system files]cemaylou.exe 272966 70370FFB (other name it has taken : nxkkxpjy.exe, greyend.exe, metapoll.exe)
HOLE NAME.exe 240663 A2325E7C logduperoad.exe 9970 25C7A91Dseek barb regs win.exe 47616 D41BE72E (other name it has taken : batbodypokeextra.exe)
C:\PROGRA~1\upload admin bind Filename Size CRC-32 DELETE PLAY.exe 15526 95665A33And I'm unable to delete any of these files !! They are not displayed in taskmgr, and :
-- PsKill v1.03 - local and remote process killer Copyright (C) 2000 Mark Russinovich http://www.sysinternals.com Unable to kill process cemaylou.exe: Process does not exist. --I've tried to sniff all these exe names using tools from SysInternals but I can't find any of these o_o !!
Here is a list of all the word-parts that this "thing" uses" :face, license, free, bait, grey, send, locks, admin, bash, meta, poll, hole, name, cemaylou (single word?), log, dupe, road, seek, barb, regs, win, upload, bind, delete, play, corn, internet, soft, cool, dash, bat, body, poke, extra.
What the hell is going on on my computer ?? Is Big Brother watching me ? =) I've uploaded these files on: http://swun.free/helpplease/Thank you very much indeed for your help.. and sorry for my really bad english.
++ eNs!feRuM* _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Spyware? Worm? Trojan? "face license free bait" eNs!feRuM* (Sep 29)
- Message not available
- Spyware? Worm? Trojan? "face license free bait" ==> Everything is OK.. eNs!feRuM* (Sep 29)
- Message not available
- Re: Spyware? Worm? Trojan? "face license free bait" Harlan Carvey (Sep 29)
- Re: Spyware? Worm? Trojan? "face license free bait" Jason Thibeault (Sep 29)