[thelist] odd IE worm or something..

Michael Pemberton mpember at phreaker.net
Sun Nov 9 21:55:53 CST 2003 

Tom Dell'Aringa <pixelmech at yahoo.com> wrote:

> Hi folks,
> 
> I have a strange thing happening with my IE on winXP. I've run
> ad-aware and a full virus scan which has turned up nothing.
> 
> You can see a screen shot here:
> 
> http://www.pixelmech.com/review/ieThing.gif
> 
> What happens is that a IE window spawns of *its own accord.* When it
> happens, I don't know, but in this case nothing was running. I come
> back and there it is. You cannot navigate to the window at all, there
> is no window per se. The window title seems to be the "==" part. I
> can easily alt-F4 and close it or close it in the task window.
> 
> It does NOT show up when you alt-tab through open apps. 
> 
> Anyone have an idea how I can find out/remove this?
> 
> Tom
> 
> =====
> http://www.pixelmech.com/ :: Web Development Services
> http://www.DMXzone.com/ :: JavaScript Author / Every Friday!
> http://www.thywordistruth.net/ :: Eternal Life
> 
> "I'll ho ho and ha ha you!" (Daffy Duck)

This is a "virus".  It opens a connection to an outside server and acts as a
gateway to allow these popups to be generated at will.

I have seen this on my brother's PC.  The reason I know that it is not RPC /
Messenger related is because the PC is behind a NAT firewall.  This means that
there is no external method of sending a message via these services.

<tip subject="Startup Control Panel" author="Michael Pemberton">
Sick of having all those pesky programs loading on bootup?
Get a program called Startup Control Panel.

http://www.mlin.net/StartupCPL.shtml

This will allow you to select which programs you want to keep and which can be
disabled.

This is one know problem, disabling may not be enough.  Programs, such as Real
Player, put themselves back if they find you have disabled the entry.  The
only way to stop this kind of activity is to keep the entry and simple modify
it.  Simple adding "get lost" to the start of the command line being executed
for the entry should be enough.

When windows is unable to find the program "get", it simple keeps on going
without executing the command.  Real Player thinks you left it there and
doesn't force itself back into the startup.
</tip>

I can't remember the exact file name, but from memory it stuck out because it
was putting the executable in the windows / winnt folder.
---
Michael Pemberton
evolt at mpember.net.au

More information about the thelist mailing list