Security Incidents mailing list archives
Re: CANADA.EXE program
From: Brad Arlt <arlt () cpsc ucalgary ca>
Date: Tue, 11 Mar 2003 10:39:48 -0700
On Tue, Mar 11, 2003 at 11:49:44AM -0400, Boyko, Steve wrote:
One of the people in my office told me he noticed the CPU usage on his machine was pegged at 100% and Task Manager showed it was an executable CANADA.EXE that was consuming the time. (he is running a Windows 2000 laptop) I looked at his PC and found that the program CANADA.EXE, from C:\Program Files\Dialers\Canada\Canada.EXE, was indeed pegged at 100% CPU utilization, although it didn't seem like it was slowing the system down much. I copied the executable off, then removed it from his registry (HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run). I examined the executable using Strings from www.sysinternals.com but found nothing unusual except that it appears to be a Visual Basic program, based on the file properties (it has strings such as VS_VERSION_INFO, Comments, CompanyName, FileDescription, etc. which have blank values). The list of imported DLLs at the end show that it does use network-related code, such as URLMON.DLL, WININET.DLL, and WSOCK32.DLL. There are no ASCII or Unicode strings of note except for a portion that seems to start with "This executable", but it is garbled. The file size is 68,096 bytes. I Googled for it and saw it was mentioned in a list of known Start-Up Applications (http://www.pacs-portal.co.uk/startup_pages/startup_full.htm) with a comment "Known to be a dialler - but is it maliscous or clean?".
Not specifically. There are a series of "You need to download this dialer application to access our really great porn" programs. A good many are trojaned, and some are known viruses. If you are feeling lazy, submit the program to your virus scanner vendor and have them look at it (that is why you pay them money each year). They might even add a signature for the program, making finding it next time super easy. ----------------------------------------------------------------------- __o Bradley Arlt Security Team Lead _ \<_ arlt () cpsc ucalgary ca University Of Calgary (_)/(_) I should be biking right now. Computer Science ---------------------------------------------------------------------------- <Pre>Lose another weekend managing your IDS? Take back your personal time. 15-day free trial of StillSecure Border Guard.</Pre> <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
Current thread:
- CANADA.EXE program Boyko, Steve (Mar 11)
- Re: CANADA.EXE program Brad Arlt (Mar 11)