Strange Service is showing up on PC's on our network
From: Knight, Jim (Jim.Knight_at_YUM.COM)
Date: Thu, 29 Jan 2004 11:29:44 -0500 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
I wanted to find out if anyone has seen this in the last couple of days.
I received a call from a Support Person saying that there is a process
running on his system that he didn't recognize and after some
investigation and some warnings from Cisco CSA about a process trying to
drop itself on my computer I have the following information.
Process file name is NTOSA32.EXE and it is listed on a computer with it
running as Distributed File Controller. With a dependency to RPC. ALL
of the systems that this has attacked are 100% patched and have virus
Definitions of 1/28/2004.
It seems to be linked to another file NTBKH32.DLL
As I was investigating this I got several warnings from CSA telling me
the File NTOSA32 was trying to capture keystrokes and right a file
I also got information from our Network Services team saying that they
had to block one of our links to Australia due to the fact it was
slamming the router at 99%. This may have been where the original came
Anyone seen anything or know of anything dealing with this? Searches on
Google, MS and SARC reveal nothing.
This communication is confidential and may be legally privileged. If you are not the intended recipient, (i) please do not read or disclose to others, (ii) please notify the sender by reply mail, and (iii) please delete this communication from your system. Failure to follow this process may be unlawful. Thank you for your cooperation.
NTBugtraq Editor's Note:
I'm looking for an event at which I can speak in Australia, specifically near Brisbane, as close to Christmas as possible. Anyone interested in flying me down under at that time, please contact me at Russ.Cooper@rc.on.ca