At 12:06 PM 5/3/00 -0700, K. Graham wrote:
What is the name of the log file that is generated from this program? Where is the log file placed in the system? Did you check to see if there is any residual traces of the programs in the registry? If so where? Do you know the name(s) of the *.vbs you have encountered?
Only one gave me solidly useful clues: All the traces were n.*...the * being various VisualBasic-related extensions. The one that gave me useful info was n.log - showed the modem log and dialout times, etc, but not a list of what was transmitted. The number the modem dialed was XXX'd out; and the transmission stats showed the 10megs. The end user confirmed that, although he was doing some VB6 programming for a class, it wasn't his script and that no one was home at the time the dialout occured. Unfortunately, the system was unstable as hell and I was lucky to get this data before it crashed completely; W98 wouldn't load at all because of (suspected) corrupted files. Before it crashed completely (and the reason the end user called me) was that upon W98 boot, a system error would be displayed saying RPCSS.dll had caused a GP fault in OLE32 and then a VB debug session would start and freeze. The other encounter showed similar symptoms but left no clues that I could find.
Virus_Research@NAI.com, samples@f-secure.com, and support@sophos.com all are addresses where suspect files can be sent. They prefer them in a zip format before accepting them.
If I'd been able to get samples, I'd surely forward them. Bet these clients keep their McAfee updated and running from now on :). "Microsoft is not a monopoly!" - Bill Gates "HA!" - Judge Jackson Dean Robb Owner, PC-EASY (757) 495-EASY [3279] On-site computer services Member, ICANN @Large