- Feb 22, 2007
- 16,240
- 7
- 76
File doing the damage is :winselcil.exe
It copies itself to system32, as normally hidden.
Ran a packet sniffer to see what its trying to do:
0000 00 1d 7d 9c 98 4b 00 13 46 4b 6a 16 08 00 45 00 ..}..K.. FKj...E.
0010 00 58 00 00 40 00 35 11 7e 85 04 02 02 02 c0 a8 .X..@.5. ~.......
0020 00 64 00 35 04 0a 00 44 20 be ac 07 81 80 00 01 .d.5...D .......
0030 00 01 00 00 00 00 0c 79 6f 75 63 61 6e 74 73 65 .......y oucantse
0040 65 75 73 09 73 65 72 76 65 62 65 65 72 03 63 6f eus.serv ebeer.co
0050 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 00 0a m....... ........
0060 00 04 42 9a 56 56
Address its sending to : youcantseeus.servebeer.com
Its slowly scanning the network looking for license keys of high end software.
Autocad, citrix, 3com, etc
I'm not sure how this got on the pc, since its not used for torrents, shareware, or anything like that.
Just thought I would give a heads up, since a google of the program name didn't turn up anything.
It copies itself to system32, as normally hidden.
Ran a packet sniffer to see what its trying to do:
0000 00 1d 7d 9c 98 4b 00 13 46 4b 6a 16 08 00 45 00 ..}..K.. FKj...E.
0010 00 58 00 00 40 00 35 11 7e 85 04 02 02 02 c0 a8 .X..@.5. ~.......
0020 00 64 00 35 04 0a 00 44 20 be ac 07 81 80 00 01 .d.5...D .......
0030 00 01 00 00 00 00 0c 79 6f 75 63 61 6e 74 73 65 .......y oucantse
0040 65 75 73 09 73 65 72 76 65 62 65 65 72 03 63 6f eus.serv ebeer.co
0050 6d 00 00 01 00 01 c0 0c 00 01 00 01 00 00 00 0a m....... ........
0060 00 04 42 9a 56 56
Address its sending to : youcantseeus.servebeer.com
Its slowly scanning the network looking for license keys of high end software.
Autocad, citrix, 3com, etc
I'm not sure how this got on the pc, since its not used for torrents, shareware, or anything like that.
Just thought I would give a heads up, since a google of the program name didn't turn up anything.
(running as Administrators, perhaps?) Possible attack vectors include external devices running an AutoPlay attack (digital picture frames, flash drives, memory cards, CDs, DVDs, external drives), as well as the usual browser-driven exploits, network worms, and whatever else I'm forgetting.
Facebook
Twitter