Strange Service is showing up on PC's on our network

From: Knight, Jim (Jim.Knight_at_YUM.COM)
Date: 01/29/04

  • Next message: Russ: "Re: Strange Service is showing up on PC's on our network"
    Date:         Thu, 29 Jan 2004 11:29:44 -0500

    I wanted to find out if anyone has seen this in the last couple of days.


    I received a call from a Support Person saying that there is a process
    running on his system that he didn't recognize and after some
    investigation and some warnings from Cisco CSA about a process trying to
    drop itself on my computer I have the following information.


    Process file name is NTOSA32.EXE and it is listed on a computer with it
    running as Distributed File Controller. With a dependency to RPC. ALL
    of the systems that this has attacked are 100% patched and have virus
    Definitions of 1/28/2004.


    It seems to be linked to another file NTBKH32.DLL


    As I was investigating this I got several warnings from CSA telling me
    the File NTOSA32 was trying to capture keystrokes and right a file


    I also got information from our Network Services team saying that they
    had to block one of our links to Australia due to the fact it was
    slamming the router at 99%. This may have been where the original came



    Anyone seen anything or know of anything dealing with this? Searches on
    Google, MS and SARC reveal nothing.







    This communication is confidential and may be legally privileged. If you are not the intended recipient, (i) please do not read or disclose to others, (ii) please notify the sender by reply mail, and (iii) please delete this communication from your system. Failure to follow this process may be unlawful. Thank you for your cooperation.

    NTBugtraq Editor's Note:

    I'm looking for an event at which I can speak in Australia, specifically near Brisbane, as close to Christmas as possible. Anyone interested in flying me down under at that time, please contact me at

  • Next message: Russ: "Re: Strange Service is showing up on PC's on our network"