RE: [Full-disclosure] Re: Shell32.dll.124.config

From: y0himba (y0himba_at_technolounge.org)
Date: 09/06/05

  • Next message: miah: "Re: [Full-disclosure] SSH Bruteforce blocking script"
    To: <full-disclosure@lists.grok.org.uk>
    Date: Tue, 6 Sep 2005 09:53:30 -0400
    
    

    If you would have read the message, I stated that it showed up in scans but
    could not be found on the system. If you must have the exact text from the
    log:

    9/6/2005,9:37:59 WARNING: AVGuard detected a problem in the file
      C:\WINDOWS\SYSTEM32\SHELL32.DLL.124.CONFIG
          INFO: The access to the file has been denied!

    If the information had contained something helpful, I would have posted it.
    Also, to keep the messages to a smaller size, I didn't post the text from
    Filemon. I am quite sure that folks are smart enough to ask for the
    information if they need it.

    Thank you for the link! :) Good reading although my computer is
    experiencing none of the symptoms listed.

    -----Original Message-----
    From: full-disclosure-bounces@lists.grok.org.uk
    [mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of Dave Korn
    Sent: Tuesday, September 06, 2005 9:40 AM
    To: full-disclosure@lists.grok.org.uk
    Subject: [Full-disclosure] Re: Shell32.dll.124.config

    > ----- Original Message -----
    > From: "y0himba"
    > Sent: Monday, September 05, 2005 4:33 PM

    >> Yes I am a "noob". I have a question though. Google searches and a
    >> few other things can tell me nothing about "shell32.dll.124.config".
    >> I am on WindowsXP SP2, and keep seeing this file show up in antivirus
    >> scans, but cannot find it anywhere on the system! I think it is
    >> dynamically created by something, but after sitting and watching
    >> Filemon
    >> 7.02 for 20 minutes or so, I give up. Has anyone heard of this file?
    >> Antivir, Bitdefender, AVG and Clam all show it on the system, have
    >> scanned it, but have found nothing. I have never seen this file before...

    ----Original Message----
    >From: Morning Wood
    >Message-Id: BAY19-DAV10034B5749FF0FE3BCF10ED9A70@phx.gbl

    > sounds like an ADS ( alternate data stream )

      No it doesn't. ADS filenames have a ':' as a separator. That name only
    has dots in it and so is not an ADS. It is part of some kind of known
    malware:

    http://forums.spywareinfo.com/index.php?showtopic=7447&st=15

      I guess y0himba's AV is detecting the attempt to access this file as
    suspicious whether or not it actually exists, but he forgot to mention
    anything about what the AV actually _says_ about it. y0himba, next time
    you're reporting an error message, how about actually quoting the text, huh?

        cheers,
          DaveK

    --
    Can't think of a witty .sigline today....
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/
    -- 
    No virus found in this incoming message.
    Checked by AVG Anti-Virus.
    Version: 7.0.344 / Virus Database: 267.10.18/90 - Release Date: 9/5/2005
     
    -- 
    No virus found in this outgoing message.
    Checked by AVG Anti-Virus.
    Version: 7.0.344 / Virus Database: 267.10.18/90 - Release Date: 9/5/2005
     
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/
    

  • Next message: miah: "Re: [Full-disclosure] SSH Bruteforce blocking script"

    Relevant Pages