Home page logo
/

basics logo Security Basics mailing list archives

Re: a strange file
From: ragdelaed <ragdelaed () gmail com>
Date: Sat, 21 Jan 2006 13:17:59 -0500

http://www.sysinternals.com/Files/FilemonNt.zip

the link above will download filemon.exe by sysinternals. it allows you to look at all activity on your file system. open it, run it, then filter it on c:\data. let it run in the background until you see something hit it.

after something hits it, the process that manipulated the directory, the file it touched, and the exact time should help you determine the intent of the file. it kind of looks like a dump of a failed program or failed program data in vbs format. do you and your friend have any third party software that is unique to the both of you? download a common game or application? and is his exactly the same or a little different?

if it is a file dump, then you probably wont see much happening to it.

also, make sure your box is patched, make sure anti-virus is up to date, run a firewall if you dont already. also check your run key to see if there is anything weird in there.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

eddy

migalo digalo wrote:

i have descovred a strange file (it seems crypted) in my pc and in
the pc of a friend too! the file have the name (data) and is present
in C drive (c:\data)

here i post the content (not all) of this file:
---------------------------
-BEGIN FILE DUMP
------------------------------------------------------------------
const char * vGGY3 =
"poH5fE7ofWDVb7P8IthCkodZM5AEC3Z2c7rSn1EpauvCQyEIaNFI6QkXZpWG9Gmgrg8s2jvTiUGxpODovfUXt1GLjBXVXfuW3KGcPmqfhRqw";
const char * vJo8mDfo5CyfU9 = "NlBb73ITslIVY4feE2hb84b0ukyZZ41";
const char * vRgOhphN62LPt =
"b3FL1Bx8DmCYva3rwB3bErfwEeBqCoayEngFV4VCnf7B47eQmusVASdBcAb2af7LUAmWFmYbOmdoO71ADeuIHJKHtPCKAgMLSxJ6SfFdSPjd7";
const char * vGpRLf6oU9fH =
"xqkce5QJa7GAZ1ehqDX1tL8jvRRK9YRx4I4dQacGcIXCmZwDng7WDTcKFmFdCfugbRctseAEFZv4wVGoksXfLOOxQQ";
const char * vAjVVc =
"NFdFWaKIH7pfCJlD3XiJcn6gSCcAbjwbyvQk4gAf2iCeWeokCH9lEc20";
const char * vhEoV7PZ6DlBUd =
"9RXgkPFH0BqxaABCPISPddF82FDnwdndlAJ4bxEMoLN1bcuEY1QG6d26EeKdrYVB88wEyWg9IGs1tWiAZwOV1NcFC";
const char * veye0Geh2C =
"me3GKL1MONF4OBXAkfGPmgnPKaakoFWEoxlFEClIdBh2cOX22E5K2e9F0CculLKFWf";
const char * v09Q7h4GiYs1 =
"ac3nEASAVK0hyxDWKaHAM1PewedJCYYGiHAcZfaiYgaK81XuEadaeTTLdmHaa9wd5U1hJblfft1W8YB6CitdDTfQEpdE9gb0NExPmnrFICs";
const char * vHfGhym =
"uLEwb6Mbr9DMcOdGeaaZS2okSI4Nxef4M2WprUiRFBCT8dsG2PTCrSGs0CueZcf9ebZXCt";
const char * vdldFy =
"etobcGxFPj42oJKeYBxdqenZfAIFrAMnJd0ZesGPF03Ayae6OsQpiEWeDfxC9HjEuKaCF6C3fLrdPcMqUvEL7ZC9eJMN";
const char * vDfg63CAKx = "U36wdFCuFSNGc9ZXQKBEKA";
const char * ve2B9eB2a1Ir = "nifidry1ib";
const char * vGAvAvbyGJ = "ZftalcGdlyihk1KdKPE";
const int vfJtQoThCW = 25360;
const int vLqGcTc9CHAyE = 18467;
const int vOpEf = 10234;
const int vQntxasxdGa = 3686;
const int vbE01E9BRPbdCA = 29270;
const int vh0qaT3gx8deqN = 28100;
const int vZbmbT3B4 = 14438;
const int v5bOIZ7r = 29497;
--------------------------------------------- END FILE DUMP
--------------------------------------------------------------------

i think it provide same strings and ints for a potentiel malware !
can you please tell what's this exactley?
thank you
sorry for my bad english :)

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault