RE: Strange servicepack.exe file (not service.exe) found.

["Bojan Zdrnja" <Bojan.Zdrnja () LSS hr>]

> -----Original Message-----
> From: Chip Mefford [mailto:cmefford () avwashington com] 
> Sent: Wednesday, 17 December 2003 7:29 a.m.
> To: incidents () securityfocus com
> Subject: Strange servicepack.exe file (not service.exe) found.
>
> Running in the task manager on a windows 98 box on
> our lan. The machine was misbehaving badly yesterday
> morning. IE 5.5 was broken, will not browse anything,
> even a local file. Mozilla 1.5 works fine. The machine
> has been flattened and is being reloaded with Win2K.
>
> This machine was screwed down as tight as we could make
> it and still have it be useful. It was used by staff
> that had no dedicated workstations to access our webmail
> and such things.

Sophos detects this file as App/Rblast-A.

> From their Web site:

App/RBlast-A is an adware application which attempts to connect to and
download material from a pornographic website. 
The application may also add an entry to the registry at: 

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
or
HKCU\Software\Microsoft\Windows\CurrentVersion\Run 

to run itself on system restart. 

App/RBlast-A has an uninstall option which may not delete all files and
entries related to the application.


Some of your users either executed something which brought this adware with
it, or someone browsed to a site which used one of many IE exploits to
launch an executable on your machine.

As you already reinstalled the box, there is nothing more to do. Keep your
systems patched.

Regards,

Bojan Zdrnja



---------------------------------------------------------------------------
----------------------------------------------------------------------------