When a CWS infection is executed does it also install pre-defined setup files or folders like this that would install a new infection based on a trigger from a given infection that is removed? Also, do they always use a [filename]2.exe pattern or is it random ? Because I found another lone executable named TestManager2.exe that was in the the same Docs & Settings\ owner\App Data folder but was in Microsoft\Installer\{E47EA4D...}. I've followed all the CWS information links and read everything by Merijn but I may have missed it and it sure would help me. Thanks.
Cws Re-infection Executables
Started by
zxladie
, Jun 22 2004 01:03 PM
2 replies to this topic
#1
Posted 22 June 2004 - 01:03 PM
When a CWS infection is executed does it also install pre-defined setup files or folders like this that would install a new infection based on a trigger from a given infection that is removed? Also, do they always use a [filename]2.exe pattern or is it random ? Because I found another lone executable named TestManager2.exe that was in the the same Docs & Settings\ owner\App Data folder but was in Microsoft\Installer\{E47EA4D...}. I've followed all the CWS information links and read everything by Merijn but I may have missed it and it sure would help me. Thanks.
Register to Remove
#2
Posted 22 June 2004 - 02:27 PM
Greeting and welcome to TomCoyote.com!
Although many infections do generate random file names, this one looks pretty stable:
http://www.trendmicr...FEATS.A&VSect=T
May your day be blessed by those you love and those you love be blessed by HIM - Coyote
Although many infections do generate random file names, this one looks pretty stable:
http://www.trendmicr...FEATS.A&VSect=T
Micah 6:8 He hath shewed thee, O man, what is good; and what doth the LORD require of thee, but to do justly, and to love mercy, and to walk humbly with thy God?
The help you receive here is free.
If you wish to show your appreciation, then you may donate to help keep us online.
Want to help others? Join the ClassRoom and learn how.
Download Hijack This! My Website: UnSpyMe!
The help you receive here is free.
If you wish to show your appreciation, then you may donate to help keep us online.
Want to help others? Join the ClassRoom and learn how.
Download Hijack This! My Website: UnSpyMe!
#3
Posted 22 June 2004 - 09:58 PM
Thanks. I'll check it out. This is might be a stupid question, but I'm wondering if anyone has seen or heard that there could be uninstalled CWS hidden files ready to stealth execute that can be triggered by an active variant if it is removed. The reason is because there are folders in several places on this kid's machine that contain [filename]2.exe and a [filename].new. And if you look inside the .new file, it looks to be the inf for a CWS BHO. And right out the gate I took 4 trojan droppers out of this thing. I've worked 5 hijacked machines this week all from the same family, I'm probably getting paranoid, but was just wondering. Thanks.
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users