Is this a virus / trojan / worm ?

From: Frank (someone_at_microsoft.com)
Date: 06/28/05

Next message: Braindead: "Tweak XP Folder Protection"
Previous message: STL_Alex: "RE: restricting access to websites"
Next in thread: Kerry Brown: "Re: Is this a virus / trojan / worm ?"
Reply: Kerry Brown: "Re: Is this a virus / trojan / worm ?"
Reply: David H. Lipman: "Re: Is this a virus / trojan / worm ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 27 Jun 2005 18:06:22 -0600

Hello,

Sorry if this is not the right group.

Someone who works for me received an email today with a zip file attachment
called "Original.zip" with the subject line "This picture is sent on SMS"
Inside the zip was a file called "F5434.EXE"

Even though I have warned this person again and again about opening zips
from unknown parties and running unknown executable files the idiot unzipped
the file and ran the exe.
At least he had the common sense to unplug his PC from the network when he
realized what he did.
I copied the zip to a 3-1/2" floppy and then copied it to a PC not on the
network but with Symantec current virus defs (June 22/05)
SAV reports no infection.

The funny thing is that the icon for the file is that of a jpeg.

If I run the exe it does nothing (that I can see) but it does show up in the
Task Manager as a running process. It runs for a short while then
drwatsn32.exe starts running and soon all the desktop icons disappear and
then reappear. At this point the F5434.EXE is no longer running nor is
drwatsn32.EXE.

If I look in the EventVwr it says "The application c:\windows\explorer.exe
generated an application error. The error occurred on (The Date) at (The
Time). The exception generated was 80000007 at 00000000 (ntdll!
KilFastSystemCallRet)
The next event in the Event Vwr "The shell stopped unexpectedly and
Explorer.exe was restarted"

Does anyone have a clue about what this is? I've searched with Google, I
searched at Symantec.com with no luck at all.

Thanks
Frank Klassen

Next message: Braindead: "Tweak XP Folder Protection"
Previous message: STL_Alex: "RE: restricting access to websites"
Next in thread: Kerry Brown: "Re: Is this a virus / trojan / worm ?"
Reply: Kerry Brown: "Re: Is this a virus / trojan / worm ?"
Reply: David H. Lipman: "Re: Is this a virus / trojan / worm ?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Is this a virus / trojan / worm ?
... "Frank" wrote in message ... > unzipped the file and ran the exe. ... > The next event in the Event Vwr "The shell stopped unexpectedly and ...
(microsoft.public.windowsxp.security_admin)
Re: Questions about .NET Deployment Models (i.e. ClickOnce)
... With dotnet you can still leave the exe on the server with a shortcut to it ... it really allowed me to go ahead and play around with ClickOnce ... having all of the executables on 1 spot on the network. ... mini-app and put a shell execute for it in the bigger app, ...
(microsoft.public.dotnet.framework)
Re: Who is using the EXE
... Running applications across a network is a bad idea for several reasons, ... The normal solution is to write a small launcher program which is installed ... if it finds a newer one on the server it copies it over the local ... I developed an application using VB6, placed the exe in a shared ...
(microsoft.public.vb.general.discussion)
RE: Running Fox Exes from a local network, VFP5.0 vs VFP6 - 8
... in the same folder on the network as the EXE and start the EXE with a ... Place the EXE and data on the network, ... Microsoft FoxPro Technical Support ... >responsibilties this is easy to connect new workstations to these apps. ...
(microsoft.public.fox.programmer.exchange)
Re: Network Issue
... i created a test protected mode exe ... started on my windows network ... copied it over the exe running on the network ...
(comp.lang.clipper)