I think someone is cheating "rc5" using my cpu!!, Read please and tell me what you think!!

[MortaniuS]

Ive never installed these rc clients on my computer. And today i noticed my cpu running a little hotter then normal. So i findout my cpu is running at 100% load. Im like WTF? So i check my process and there is a dn2.exe running. So i turn it of and it fixes the prob. Then i go open this dn2.exe with notepad and this is what i get:

[display]
detached=yes
progress-indicator=off

[rc5]
fetch-time-threshold=48
preferred-blocksize=0
randomprefix=254

[ogr]
fetch-workunit-threshold=5

[parameters]
id=vserge@hostel.pfu.edu.ru

[networking]
autofindkeyserver=no
keyserver=bobik.2y.net

[misc]
project-priority=DES,CSC,OGR,RC5

[triggers]
exit-flag-filename=

[buffers]
frequent-threshold-checks=3
threshold-check-interval=0:30

I NEVER installed this program.

 

[Poof]

You may have gotten a variant of the dnet worm. Check this link out for details.

 

[xrayman]

Unless you bought the box new or built it yourself, Poof is probably right.
I use ZoneAlarm and InoculateIT (both FREE for personal use) and highly recommend them. If you followed Poof's link and read the page, I hope you also went to Shield's Up vulnerability scanner. This is Steve Gibson's most excellent site. Go there and learn!
If you bought your box used, the previous owner may installed the client and 'forgot' to remove it before you bought it.
In any case you should get rid of it and then install your own client to be sure you're cracking for TAT, ...uh, you are working for TAT, aren't you??


Geoff

 

[JonB]

As a potential Trojan installation, this guy is pretty weak. Look at his lackluster stats:

vserge@hostel.pfu.edu.ru

 

[sciencewhiz]

This sounds like a new trojan. it doesn't appear on Distributed.net's trojan page. You should e-mail abuse@distributed.net with all the information that you have so that they can warn other people and take action against the person who started this trojan.

 

[SuenoNL]

<< keyserver=bobik.2y.net >>



hmmm, he has a proxy running there, version 318.

 

[IsOs]

Did you recently installed any software? It's important to know how this worm get in a system so that others can prevent a similar situation. Can you give us a hypothesis/guess?

Is this your home computer? Who can access this computer besides you?

Just a few questions that might help in tracking the source of this problem.

 

[ViRGE]

Humm, this is bad indeed. Until Dnet replies to you, I reccomend this:

Don't remove the virus/trojan in any way. Since it's most likely new, Dnet will need your knowledge/data in order to analyze it, and create the proper entry in their WormFree utility.

Check your computer for BackOrifice, NetBus, ect. Since he has a pproxy, he can read your IP address, and may have had his worm install a backdoor in order to further hack you.

Pause the client(dn2.exe -pause). This won't screw up any evidence, but will cost this guy all his blocks; and cool your CPU back down to normal levels.

Oh, and thanks for not going off the deep end about this. We do what we can to keep these kind of things at a minimum, and appreciate it when people come to us first, instead of telling the world, and giving us and Dnet a bad name in the process.

 

[Viztech]

Mort

You came to the right place for help on this problem.

As ViRGE said, your help will be greatly appreciated to get down to the bottom of this problem so it does not happen to anyone else.

viz

 

[narzy]

anyone try contacting that E-mail address to tell this person what is going on?

also we hope that you will join us, I know this is not the best way in the world for us to meet but hey

(I just want to make it clear to my knowlage that E-mail address is not apart of Team AnandTech, and if it were he would be delt with accordingly Team AnandTech does not condone this type of action.)

 

[Jani]

Maybe contacting 2y.net (or does 2y.net belong to www.dyndns.org?) will help tracking this cheater.

 

[Ken g6]

I think I may know why his stats are so lackluster. I tried pinging his pproxy, but it seems to be down, or no longer existent. Which could mean all or most of the blocks he's made you do, Mort, aren't credited to him, and won't be unless you flush them manually.

Edit: Or maybe he's only online occasionally to get his stolen blocks, which could make him harder to track.

Edit 2: After further investigations, I found that this guy is not a member of Team Anandtech. He is, however, the 917'th member of the Russian Team.

 

[Jani]

bobik.2y.net resolves to ip-address 24.183.0.241 = cl3018738-a.mdsn1.wi.home.com.

Someone playing games with ruskies?

 

[BadThad]

We could also fill him with enough spam to wear his DEL key out! hehehehehe

 

[Slacker]

the priority in that ini is set for ogr before rc5, here is his ogr-25 stats http://stats.distributed.net/ogr-25/psummary.php3?id=207230