FYI: A/V update, Wordpad CLSID folder w/ctfmon.exe



FYI

re-incarnation of ctfmon.exe

Location
C:\Documents and Settings\All Users\WordPad

Threat
Uses a folder named with a registry CLSID
Created (so far as I can find) by "setup" wrappers
that have been tampered with remotely on a per
location (remote) or download link (misc).

Action
Contacts external (remote) url's (likely 4 or more),
typically by using a ctfmon.exe (appears as a legitimate
and signed by MS 6-8kb file, the real one is in /system32).
As a legitimate appearing MS file many firewall/A/v may
let it online/through untethered if 'trust' MS is enabled.
(can be noted by check online status/live connections
and inspected via packet monitoring, may get past some
that allow trusted MS files or don't monitor those)

Remedy
Stop the process in task manager, and cut/delete file/folder.
The A/V's should have been updated yesterday with this
but if you find one of those little stinkers..then upload it
to your A/V online feedback/repository.

Your welcome, hope you don't have it. ;)

--
'Seek and ye shall find'
NT Canuck


.