FYI: A/V update, Wordpad CLSID folder w/ctfmon.exe



FYI

re-incarnation of ctfmon.exe

Location
C:\Documents and Settings\All Users\WordPad

Threat
Uses a folder named with a registry CLSID
Created (so far as I can find) by "setup" wrappers
that have been tampered with remotely on a per
location (remote) or download link (misc).

Action
Contacts external (remote) url's (likely 4 or more),
typically by using a ctfmon.exe (appears as a legitimate
and signed by MS 6-8kb file, the real one is in /system32).
As a legitimate appearing MS file many firewall/A/v may
let it online/through untethered if 'trust' MS is enabled.
(can be noted by check online status/live connections
and inspected via packet monitoring, may get past some
that allow trusted MS files or don't monitor those)

Remedy
Stop the process in task manager, and cut/delete file/folder.
The A/V's should have been updated yesterday with this
but if you find one of those little stinkers..then upload it
to your A/V online feedback/repository.

Your welcome, hope you don't have it. ;)

--
'Seek and ye shall find'
NT Canuck


.



Relevant Pages

  • Re: Here are the results. Any explanations??
    ... You may have legitimate results, ... dice would play out differently. ... against GNUBG remotely, and where the seeds are unknown to you. ... remote machine as an example. ...
    (rec.games.backgammon)
  • Re: FP2003/WinXP PRO/FP Extensions Publish file problem -- HELP
    ... The online link explanation of the 'conflict' ... >My Web Sites in my My Documents folder during install. ... The publish from local to remote item was tagged. ... >It showed me the normal Listing in srweb and Listing in ...
    (microsoft.public.frontpage.client)
  • Re: Mount DASD as read-only
    ... We have a EMC's Symmetrix DASD cabinet with SRDF's remote copy. ... we vary online the "destination" device. ... For IBM-MAIN subscribe / signoff / archive access instructions, ...
    (bit.listserv.ibm-main)
  • Re: iRacing: a simulation for grown men and women
    ... not to be loose with your real name online. ... It's a remote possibility but ... why take any chances? ...
    (rec.autos.simulators)
  • Re: iRacing: a simulation for grown men and women
    ... not to be loose with your real name online. ... It's a remote possibility but ... why take any chances? ...
    (rec.autos.simulators)