[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] Email Harvesting virus?

To: "'Blue Boar'" <BlueBoar@thievco.com>, "Joel R. Helgeson" <joel@helgeson.com>
Subject: RE: [Full-Disclosure] Email Harvesting virus?
From: "David Vincent" <david.vincent@mightyoaks.com>
Date: Tue, 7 Oct 2003 09:31:22 -0700

> > A customers machine appears to be infected with some type of malware 
> > that apparently harvests email addresses and puts them into a file named

> > '~'.  Just the tilde ~, no extention.  This file is created under the 
> > C:\Documents and Settings\%username%\~.  I have attached a zipped copy 
> > of the file for refrence.
> >  
> > I came across the file earlier today, renamed it and copied it off to a 
> > keychain USB drive for later analysis. Well, the file re-created itself 
> > and the malware creating it is not immediately apparent.  I've scanned 
> > all the running apps but I haven't had much time to investigate.
> >  
> > Any ideas?
> 
> Microsoft Word? :) It appears to be one of the backup files 
> that Word makes while you are working.

this is a side effect of the Q330994 patch for outlook express.  check it
out, that file is only a copy of your address book.  see it on tons of
machines, and i haven't found any solution to it yet.

http://www.google.com/search?hl=en&lr=&ie=UTF-8&oe=utf-8&q=q330994+patch+%7E
&btnG=Google+Search


-d

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re[2]: [Full-Disclosure] Email Harvesting virus?
  - From: Papp Geza <pappgeza@tolna.net>

Prev by Date: RE: [Full-Disclosure] Spam with PGP
Next by Date: Re: [Full-Disclosure] Spam with PGP
Previous by thread: Fw: [Full-Disclosure] Email Harvesting virus?
Next by thread: Re[2]: [Full-Disclosure] Email Harvesting virus?
Index(es):
- Date
- Thread