Security Incidents mailing list archives

RE: Odd typing in MSWord

From: Felix.Simmons () edwardjones com
Date: Fri, 04 Mar 2005 13:22:37 -0600

There could be a few possible reasons for your ghost typing. One, did 
you check the document for macros? Two have you looked into any rootkit 
checking tools? Three, Did you hang a sniffer off a machine that could 
sniff the traffic of the workstation in question without actually having 
to put the sniffer on the workstation. 

When you do any analysis from the workstation you have to take anything 
you see with a grain of salt, as in the example of rootkits an attacker 
could hide processes, connections, files, basically anything they don't 
want you to see. I would say hang a sniffer off the machine and watch 
it, or when in doubt rebuild.

-Felix

-----Original Message-----
From: FederatedInformationSecurity
[mailto:FederatedInformationSecurity () federatedinv com]
Sent: Friday, March 04, 2005 8:50 AM
To: incidents
Subject: Odd typing in MSWord


I ran across something rather odd today I'm hoping someone might have
thoughts on.  One of my users had their XP SP1 laptop on the corporate
network and was editing a Word document with office 2002.  They pasted
something in a table, and it looked like someone started typing in their
document.  It was slow, typical typing speed, and lasted for about 10
minutes (I actually got a chance to see it).  The text was nonsense
words, like the kind you often see in spam nowadays.

The machine's fully patched, up-to-date anti-virus and a personal
firewall.  Don't see any signs of spyware, nothing in the registry.  I
checked all the files modified today hoping to find a keylogger or
something similar, and the only thing I found was a seemingly encrypted
file on the root of c:\ called "comply.ini", which isn't normal for our
config, but may not be related.  IE was open at the time this happened.
I issued a netstat -a command while the typing was going on, but all the
connections were legit--domain controller, file & print servers.  I
checked the running processes and everything seemed pretty typical,
although I hit 

Anyone run across anything similar lately, or have any suggestions?

Thanks!
sid

Current thread:

Odd typing in MSWord Federated Information Security (Mar 04)
- Re: Odd typing in MSWord Jeff Garrett (Mar 04)
- RE: Odd typing in MSWord Tom Baker (Mar 04)
- Re: Odd typing in MSWord Randy (Mar 04)
- Re: Odd typing in MSWord Jay D. Dyson (Mar 04)
- Re: Odd typing in MSWord Deborah McMahon (Mar 04)
- <Possible follow-ups>
- RE: Odd typing in MSWord Felix . Simmons (Mar 04)
- RE: Odd typing in MSWord Rubin, Benjamin (Mar 04)
- RE: Odd typing in MSWord Federated Information Security (Mar 04)
  - Re: Odd typing in MSWord Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (Mar 07)