Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CANADA.EXE program

From: Brad Arlt <arlt () cpsc ucalgary ca>
Date: Tue, 11 Mar 2003 10:39:48 -0700
On Tue, Mar 11, 2003 at 11:49:44AM -0400, Boyko, Steve wrote:

One of the people in my office told me he noticed the CPU usage on his
machine was pegged at 100% and Task Manager showed it was an executable
CANADA.EXE that was consuming the time.  (he is running a Windows 2000
laptop)

I looked at his PC and found that the program CANADA.EXE, from C:\Program
Files\Dialers\Canada\Canada.EXE, was indeed pegged at 100% CPU utilization,
although it didn't seem like it was slowing the system down much.

I copied the executable off, then removed it from his registry
(HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run).

I examined the executable using Strings from www.sysinternals.com but found
nothing unusual except that it appears to be a Visual Basic program, based
on the file properties (it has strings such as VS_VERSION_INFO, Comments,
CompanyName, FileDescription, etc. which have blank values).  The list of
imported DLLs at the end show that it does use network-related code, such as
URLMON.DLL, WININET.DLL, and WSOCK32.DLL.

There are no ASCII or Unicode strings of note except for a portion that
seems to start with "This executable", but it is garbled.  The file size is
68,096 bytes.

I Googled for it and saw it was mentioned in a list of known Start-Up
Applications (http://www.pacs-portal.co.uk/startup_pages/startup_full.htm)
with a comment "Known to be a dialler - but is it maliscous or clean?".


Not specifically.  There are a series of "You need to download this
dialer application to access our really great porn" programs.  A good
many are trojaned, and some are known viruses.  If you are feeling
lazy, submit the program to your virus scanner vendor and have them
look at it (that is why you pay them money each year).  They might
even add a signature for the program, making finding it next time
super easy.
-----------------------------------------------------------------------
   __o          Bradley Arlt                    Security Team Lead
 _ \<_          arlt () cpsc ucalgary ca                University Of Calgary
(_)/(_)         I should be biking right now.   Computer Science


----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>
Previous By Date Next
Previous By Thread Next

Current thread: