notepad.exe backdoor

[Ron Cohen <rony () rony clara net>]

Hi
can't remember seeing that on the list - so here it is:
while trying to insall a game on my kids pc, i noticed a notepad process
running as a hidden window. furtur investigation revealed that:
o upon startup it trys to connect to 202.106.185.107:25;
o listen to about 10 tcp ports from 1024 upward;
o propagates itself via sharing;
o insatll itself in run with the key satrtIE;
o when starting it without any arguments a very similar window to the
   real notepad pops up , except for the microsoft signutures.
o the original notepad is saved as note.com.

drop me a line if you want a copy.

------------------
Ron Cohen