FYI: A/V update, Wordpad CLSID folder w/ctfmon.exe
- From: "NT Canuck" <ntcanuck@xxxxxxxxxxx>
- Date: Wed, 6 Jan 2010 18:51:35 -0600
re-incarnation of ctfmon.exe
C:\Documents and Settings\All Users\WordPad
Uses a folder named with a registry CLSID
Created (so far as I can find) by "setup" wrappers
that have been tampered with remotely on a per
location (remote) or download link (misc).
Contacts external (remote) url's (likely 4 or more),
typically by using a ctfmon.exe (appears as a legitimate
and signed by MS 6-8kb file, the real one is in /system32).
As a legitimate appearing MS file many firewall/A/v may
let it online/through untethered if 'trust' MS is enabled.
(can be noted by check online status/live connections
and inspected via packet monitoring, may get past some
that allow trusted MS files or don't monitor those)
Stop the process in task manager, and cut/delete file/folder.
The A/V's should have been updated yesterday with this
but if you find one of those little stinkers..then upload it
to your A/V online feedback/repository.
Your welcome, hope you don't have it. ;)
'Seek and ye shall find'