John J. Smith
Guest
|
 |
Re: Can anyone help me identify a possible Trojan?
« Reply #4 on: Sep 2nd, 2003, 9:40pm » |
 Quote  Modify
 Remove
|
I don't think that mads.exe is the actual Trojan. I have never seen this run other than the one time it was created. It's a small exe (44K) and I immediately renamed it. It didn't appear to exist anywhere else on my system and it's not set to automatically run anywhere that I can see. My belief is that is was the delivery system only and was meant to run only once. The fact that it executed an illegal operation gives me hope that perhaps it was not able to do it's job.
I use Win98. Looking in the App Log directory under Windows, I saw the log left when this exe ran. It's very short, but I really don't know how to read it. I do see that it appears to have done something to win.ini (I think), but I see no changes to that file and the modify date is a fair amount of time ago. In particular I looked to see if it added anything to the "run=" line, but it's still as blank as it ever was. It doesn't look like it did anything, but perhaps all it wanted to do was read it.
So what did this mads.exe intend to do? It could have read system information and sent it somewhere else, or perhaps it could have hidden some file elsewhere on my system. That's what I'm most worried about; that there is some file that will allow remote access to my computer or even gather and transmit information whenever it feels like it. What I would most like to know it what this exe did or intended to do.
I am not sure, but I wonder if it overwrote or replaced a system file, or copied a new file to some location on my pc, would it show up in this app log file? Because the only files that appear to be listed there are itself (mads.exe) and win.ini. Since my virus scan (McAfee Online) and TH both came up empty (and continue to) I feel somewhat good about my system still being free, but mads could have done some damage that still remains hidden as it DID have the chance to run.
I use a dial up, so it can't do any harm if I don't log in, but I sort of want to be able to log in and use my pc the way I used to. I need to connect at some point as that's sort of the machine's sole purpose.
I even tried opening the exe in notepad to see if I could pick out any plain text file names or something, but all I could find was what turned out to be a reference to a exe compression tool that must have been run on mads.exe.
It would be cool if someone could tell me "Hey, mads.exe hides a file in windows/system and it's called this", that way I could go and delete it, but is it even possible to get this sort of information from the exe itself? Or should I just set up the firewall and let my computer back online? It sounds like that's not a bad idea really, but it would be nice to know what MIGHT have happened.
Thanks for you interest, Ian.
John
|
|
 IP Logged |
|
|
|
Mischel Internet Security Forum
Reply
Notify of replies
Send Topic
Print
Author
), but is in response to a similar 'find' to yours: Quote:
Search
Members
Login
Register