( Appologies to the group if this arrives twice - Gmane.og seems to be acting up)
Ron, Sorry for the confusion. Sandbox is part of Norman's AV product, and not a separate product. Also I never scanned the cab file yesterday I just posted a report from a earlier infection I had. I did this just to illustrate the type of info you get when it finds something suspicious. Today however I did scan it, and it found nothing :-/ Now that my interest was raised I extracted the cab onto a floppy and on my Linux box ran 'strings' against the dll and ocx. >From the dll I got the following info. It looks like it attempts to install and run a exe called winmsg2k_1.exe from http://www.linemovie.com/link/user2/update/winmsg2k_1.exe It may also attempt to get the same file from http://www.linkno1.com/link/update/winmsg2k_1.exe I tried to get this file from both servers, but it was not there. It also looks as if it changes the computers registry to something like the following; HKLM\SOFTWARE\Windows\CurrentVersion\Run Microsoft Task mstask20.exe Other files it mentions are; services20.exe msxml20cd.dll msxml20cc.dll msvcrt20kb.dll msvcrt20ka.dll Doing a google for mstask.exe and services.exe returns plenty of hits - they are ms files. However mstask20.exe and services20.exe return nothing. As the dlls have '20' in them I'd suspect them also. Both the above mentioned domains are Korea registered with the contact email addresses hotmail and empal accounts. Most registrars won't allow this. As I said, I only used 'strings' so although the info here is correct, some of my conclusions may not be. I would however suggest you check your registry and do a search for the mentioned files including winmsg2k_1.exe. Hope this helps -- Patrick ------------------------------------------------------- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149&alloc_id=8166&op=click _______________________________________________ Clamav-users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/clamav-users
