Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

CANADA.EXE program
From: "Boyko, Steve" <SBoyko () nbpower com>
Date: Tue, 11 Mar 2003 11:49:44 -0400
One of the people in my office told me he noticed the CPU usage on his
machine was pegged at 100% and Task Manager showed it was an executable
CANADA.EXE that was consuming the time.  (he is running a Windows 2000
laptop)

I looked at his PC and found that the program CANADA.EXE, from C:\Program
Files\Dialers\Canada\Canada.EXE, was indeed pegged at 100% CPU utilization,
although it didn't seem like it was slowing the system down much.

I copied the executable off, then removed it from his registry
(HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run).

I examined the executable using Strings from www.sysinternals.com but found
nothing unusual except that it appears to be a Visual Basic program, based
on the file properties (it has strings such as VS_VERSION_INFO, Comments,
CompanyName, FileDescription, etc. which have blank values).  The list of
imported DLLs at the end show that it does use network-related code, such as
URLMON.DLL, WININET.DLL, and WSOCK32.DLL.

There are no ASCII or Unicode strings of note except for a portion that
seems to start with "This executable", but it is garbled.  The file size is
68,096 bytes.

I Googled for it and saw it was mentioned in a list of known Start-Up
Applications (http://www.pacs-portal.co.uk/startup_pages/startup_full.htm)
with a comment "Known to be a dialler - but is it maliscous or clean?".

Does anyone have any idea what this program is?

Steve Boyko
IT Specialist-Generation
NB Power
sboyko () nbpower com

------------------------- 
This e-mail communication (including any or all attachments) is intended
only for the use of the person or entity to which it is addressed and may
contain confidential and/or privileged material. If you are not the intended
recipient of this e-mail, any use, review, retransmission,  distribution,
dissemination, copying, printing, or other use of, or taking of any action
in reliance upon this e-mail, is strictly prohibited. If you have received
this e-mail in error, please contact the sender and delete the original and
any copy of this e-mail and any printout thereof, immediately. Your
co-operation is appreciated. 

Le présent courriel (y compris toute pièce jointe) s'adresse uniquement à
son destinataire, qu'il soit une personne ou un organisme, et pourrait
comporter des renseignements privilégiés ou confidentiels. Si vous n'êtes
pas le destinataire du courriel, il est interdit d'utiliser, de revoir, de
retransmettre, de distribuer, de disséminer, de copier ou d'imprimer ce
courriel, d'agir en vous y fiant ou de vous en servir de toute autre façon.
Si vous avez reçu le présent courriel par erreur, prière de communiquer avec
l'expéditeur et d'éliminer l'original du courriel, ainsi que toute copie
électronique ou imprimée de celui-ci, immédiatement. Nous sommes
reconnaissants de votre collaboration. 


----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]