CastleCops® IceSword Instructions in English, Illustrated

Need help? Click here to register for free! Absolutely zero advertisements on this site!

**$9736.22 of $21422.68**

Help CastleCops serve the community on new servers, Donate Here to reach our goal.

	Donation/Premium

	Donations. Become Premium Today!

	Security Central

	· Home · PIRT/Fried Phish · MIRT · SIRT · Deutsch · Wiki · Newsletter · O16/ActiveX · CLSID List · Contest2007 · Downloads · Feedback (send) · Forums · HijackThis · Hijacktrend · LSPs · My Downloads · O18 · O20 · O21 · O22 · O23 · O9 · Premium · Private Messages · Proxomitron · Reviews · Search · StartupList · Stories Archive · Submit News · WsIRT · Your Account · Acceptable Use Policy

Survey

Forum FAQ

Usergroups

Profile

Select FavForums

What is this thing ?

All -> FavForums -> Rootkit Revelations

[del.icio.us!] [digg it!] [reddit!]

View previous topic :: View next topic

Author

Message

nosirrah

Security Expert
Special Response Team

Joined: Apr 19, 2006
Posts: 6299
Location: USA

Posted: Thu Nov 23, 2006 1:07 am Post subject: What is this thing ?

C:\Documents and Settings\xxxxx\Local Settings\Temp : {215E4984-0C07-49DC-8012-3247783A10EE} MD5: E30BE6078F3502CE82BE83FBE2E63909 This ADS re-spawns after reboot . I can't find any rootkit or malware evidence on my test system aside from this ADS . Is this a normal file ? If it is google is not being any help . I have exported it and submitted it to virustotal , it scans clean . Hex-editing also turns up nothing (its only 12 bytes) . My test machine is XPSP1 BTW . Thanks

Prince_Serendip

Site Moderator

Joined: Sep 07, 2002
Posts: 17541

Posted: Thu Nov 23, 2006 4:03 pm Post subject:

Found it! Here you go. It's at Sunbelt as Backdoor.Nibu The dll is at the bottom of the list. Definitely malware. _________________ Microsoft MVP Consumer Security 2006, 2007 & 2008

nosirrah

Security Expert
Special Response Team

Joined: Apr 19, 2006
Posts: 6299
Location: USA

Posted: Thu Nov 23, 2006 5:42 pm Post subject:

Awesome , thanks . It looks like I may have stumbled on this a while ago : /postlite171327-lhel32+dll.html . I am going to try and track down the lingering file that is re-spawning the ADS .

Prince_Serendip

Site Moderator

Joined: Sep 07, 2002
Posts: 17541

Posted: Thu Nov 23, 2006 7:17 pm Post subject:

You are most welcome. That would be a good idea. Sunbelt is the only one with text on this threat. _________________ Microsoft MVP Consumer Security 2006, 2007 & 2008

nosirrah

Security Expert
Special Response Team

Joined: Apr 19, 2006
Posts: 6299
Location: USA

Posted: Sun Nov 26, 2006 4:34 pm Post subject:

Well I don't think I will ever get to the bottom of this one : /t172910-.html

Prince_Serendip

Site Moderator

Joined: Sep 07, 2002
Posts: 17541

Posted: Sun Nov 26, 2006 9:31 pm Post subject:

Glad it didn't burn more than that. In the old days (maybe they still do?) we always kept a CO2 Fire Extinguisher in the computer room (mainframe). You never know when the circuits will fry. _________________ Microsoft MVP Consumer Security 2006, 2007 & 2008

	All -> FavForums -> Rootkit Revelations	All times are GMT
Page 1 of 1

You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


	2002-2008 � Computer Cops LLC dba CastleCops®. All rights reserved. Acceptable Use Policy. Use signifies your agreement. 197ppm 0.577s (0.08s) Making cybercriminals unhappy since 2002*