Dave,
> Though there is little (or no) info on the file, I
> would bet my last dollar
> that it's a virus or other malware file. Here's why:
> 1) No info on the file through Google or webferret
> searches. If it was
> legit, there would be info. Especially at
> Microsoft's site.
Not necessarily. There are a great number of Registry
keys, for example, that are in Win2K and above, for
which MS has *no documentation* on. So assuming that
MS is going to have information about all of it's
files and DLLs is not a safe assumption to make.
However, you _can_ get a warm fuzzy if the file has
the MS file version information compiled into it.
That warm fuzzy can be increased if the file is
digitally signed by MS.
> 2) It shouldn't be in the Registry at startup
> locations.
Yes...maybe.
> 3) It probably has a recent creation date, since it
> was recently placed on your machine.
Well, as simple command (ie, "dir /tc <file>") would
sort of confirm that, wouldn't it? Adding to that the
LastWrite time from the Run key would be nice. Oh,
darn...the OP doesn't seem to have that information
avialable. I wonder why that is??
> I would delete it in the Registry and in any
> folders.
Probably a good idea...*after* a root cause analysis
of (a) how it got on the system and (b) what it
did/does has been completed. And perhaps maybe not
delete, but how about copy it off of the system,
preserving it for analysis?
------------------------------------------
Harlan Carvey, CISSP
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com
------------------------------------------
Received on Mar 17 2005
Intro
