Re: 2 files titled Systray.exe? Worm maybe?

From: karl [x y] (jamescagney90210@excite.com)
Date: 08/28/02 

From: "karl [x y]" <jamescagney90210@excite.com>
Date: Wed, 28 Aug 2002 07:05:38 -0400

I'm not sure I would just delete it without trying to understand what trojan
it is, what it does, what other files might be there and how it got there.
If you just delete the file without taking other action, you could be hacked
again later. Try running a trojan scanner like www.pestpatrol.com or
www.sunbelt-software.com / www.gfi.com [free trial I believe] to scan it.
Pestpatrol.com has a free mini-scanner that looks for common port numbers of
some trojans, and fport from foundstone.com is also useful in this way. You
could try submitting it to your favorite antivirus or anti-trojan vendor,
there is a way to submit it probably within Norton antivirus or by
downloading a tool from www.symantec.com You might also download and run
Startup Cop [try searching www.google.com, www.download.com, etc. to find
it] to see some other places where suspicious files could be launching at
startup. If IIS web services are running on your computer, you could open
and read your IIS logs. You could also download and install the free Sygate
firewall to see if any trojans are sending out traffic to the internet.

[A search of coldlife on google indicates it could be an IRC backdoor.]

If a hacker compromised your computer and put this file there, he or she
might have put other back doors on your system. If this is what happened,
you can't be sure you've removed all the back doors that allow future entry
to your computer unless you format the system and reinstall Windows and
everything. [If the trojan came from an email attachment or is not really a
trojan, then this may not be necessary to do.]

Either way, you want to be sure to secure your system by installing all
patches and using secure settings by following the checklists to harden
windows and IIS [if installed] which are all at www.microsoft.com/security

"Meg" <megarts@hotmail.com> wrote in message
news:625901c24e47$d9cc88e0$9de62ecf@tkmsftngxs01...
While scouring my system of Trojans, I found systray in two
place in WINNT. WINNT\system\Systray.exe and
WINNT\system32\systray.exe. The former looks like a worm
with a bogus copyright, Copyright © 2002-2003
Liv[e]viL/icmp & w4nk-h3r. The other has a Microsoft
copyright. Can I delete the first one or will I lose
valuable data? Is there something else I should do besides
that? It does load a blank page when I boot the system with
a faint tracing of Coldlife 5 on it. Scans with Norton
Virus, Personal firewall and various other programs did not
produce this file as a threat.

TIA!

Meg