Trying to locate a recent post

Discussion in 'other security issues & news' started by wink, Jan 25, 2003.

Thread Status:
Not open for further replies.
  1. wink

    wink Registered Member

    Joined:
    Dec 16, 2002
    Posts:
    52
    Hi,

    I have been searching for a post about a program that runs on WinXP that is active in the background, when people try to delete this program it renames itself and on reboot it is again listed in the task manager process list with the filename changed by 1 letter.

    I was trying to find this post as a friend of mine brought up the problem in conversation and I immediately remembered the post here at wilder's, but alas my search skills dont seem to be very good at all as I have been unable to find it again. o_O

    I am hoping that my sketchy discription of this file will jog someones memory and that they might be able to guide me in the right direction.

    Thanks

    Wink.
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    wink,

    Give the "search" button a try ;)

    regards.

    paul
     
  3. wink

    wink Registered Member

    Joined:
    Dec 16, 2002
    Posts:
    52
    Hi Paul,

    I have tried many iterations of various searches but I dont think I have keyed in the correct words. I only know the general gist of the thread I am looking for as I didn't pay much attention to it the first time I saw it. I have manually viewed each board as well and still I am unable to locate it ... I think I am going mad, did I imagine it o_O

    I will carry on my search as things like this will bug me until I find what I am looking for.

    Wink :)
     
  4. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    Wink, it is difficult to find old threads and posts here. It's not just you.
     
  5. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    check out check out thee you are missed you hugggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggggg

    it aint been the same you gone will at least i havent seen you post much was about to post a wheres check out thread lol

    good to see you around still you and snowy disapear alot
     
  6. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    I know of a few "bad programs" that run in the background that will do that..and also a few virus/ worms that when you think you have deleted them..the next time you fire up your system they are back again...some of them with a one letter change..and others with two like in winconfig**.exe where the ** can be randomly generated....just like another exploite that is eight letter long and the are picked up at random and can be ABCEEDTD.exe on time and MSBUMMER.EXE the next.

    So are you talking about a good thing or a bad thing..and then could you explain your best recollection on why one would use it?


    See if this rings a bell....

    When the worm is executed, it takes the following steps:

    Replaces Files with Copies of the Worm
    When the worm executes, it will search for certain types of files and make changes to those files depending on the type of file. For files on fixed or network drives, it will take the following steps:

    For files whose extension is vbs or vbe it will replace those files with a copy of itself.
    For files whose extensions are js, jse, css, wsh, sct, or hta, it will replace those files with a copy of itself and change the extension to vbs. For example, a file named x.css will be replaced with a file named x.vbs containing a copy of the worm.
    For files whose extension is jpg or jpeg, it will replace those files with a copy of the worm and add a vbs extension. For example, a file named x.jpg will be replaced by a file called x.jpg.vbs containing a copy of the worm.
    For files whose extension is mp3 or mp2, it will create a copy of itself in a file named with a vbs extension in the same manner as for a jpg file. The original file is preserved, but its attributes are changed to hidden.
    Since the modified files are overwritten by the worm code rather than being deleted, file recovery is difficult and may be impossible.

    Users executing files that have been modified in this step will cause the worm to begin executing again. If these files are on a filesystem shared over a local area network, new users may be affected.
    http://www.cert.org/advisories/CA-2000-04.html

    That one happen to be LoveLetter..
    _____________________________________

    The only other thing I can think of is that old trick with the renaming of the Win386.swp and some .vbs tricks. and or the trick you can do to rename an file extension by one letter so that you can delete it in the Windows Mode rather that the safe or dos mode.

    :D
     
  7. wink

    wink Registered Member

    Joined:
    Dec 16, 2002
    Posts:
    52
    Hi Primrose,

    From what I can recall the file was bad and the length of the filename was around 5 letter ie., wcflp.exe which changed to wcfdp.exe or similar. All I can recall for definate is that the file didnt seem to be attached to any intentionally install piece of software and when the person tried to remove the file it reproduced itself with a filename differing by the one letter.... and it was definately a winxp problem so I was lead to believe, hence my not paying much attention to the thread (I use win2k).

    This is by no means hard fact though as my inability to find the post again is making me doubt ever seeing it in the first place, as the threads on the boards on Wilder's do not get pushed off the bottom of the page very quickly due to excessive postings as you tend to see on other forums.

    Thats about the extent of my memory ability I am afraid, not very detailed I know :/

    Wink
     
  8. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    Don't worry, Blaze - the Rhino is back and here to stay!
     
Loading...
Thread Status:
Not open for further replies.