This infected PC is only in use to administrate some server over here using VPN lines. Here in our Network there are no additional copies of this program.
But this PC has access to a corporate network via VPN and in this network I saw this file again. It crashed in the moment I logged on via Windows Terminal Service. But I was not able to find the program on this machine after that. So it seams as it came over VPN line to our machine here. It uses 2-4 MB of RAM, 76 Handles and 2-3 Threads. It was configured on our machine for load on booting using registry key: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Realtek 8139 fix"="amdpatchB.exe" Regards, Michael _____________________ -----Urspr�ngliche Nachricht----- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Peter Kruse Gesendet: Mittwoch, 17. September 2003 21:52 An: [EMAIL PROTECTED] Betreff: SV: [Full-Disclosure] AMDPatchB & InstallStub Hi, Some kind of spyware/adware installed by the user?? Maybe a legit application?? Check: http://63.246.134.50/index.php Would be nice with a sample, thy. Kind regards // Med venlig hilsen Peter Kruse Securityconsultant / Virusanalyst CSIS / Kruse Security ApS http://www.krusesecurity.dk - www.csis.dk > -----Oprindelig meddelelse----- > Fra: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] P� vegne af > Michael Linke > Sendt: 17. september 2003 21:06 > Til: [EMAIL PROTECTED] > Emne: [Full-Disclosure] AMDPatchB & InstallStub > > > At one of our Computers with Internet Access, I found a > strange program running. > amdpatchB.exe(38 KB) > > This program is trying to get Internet Access while starting. > amdpatchB.exe is connecting 63.246.134.50:9900. There is a > text based protocol running on 63.246.134.50 at a service on > port 9900. See Telnet output: > ________________________________________________________ > telnet 63.246.134.50 9900 > Trying 63.246.134.50... > Connected to 63.246.134.50. > Escape character is '^]'. > NOTICE AUTH :*** Looking up your hostname > NOTICE AUTH :*** Checking Ident > NOTICE AUTH :*** Found your hostname > help > :Drones2.newiso.org 451 * :Register first. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
