Re: CANADA.EXE program

From: Brad Arlt (arltat_private)
Date: Tue Mar 11 2003 - 09:39:48 PST

Next message: Darwin: "Re: [Full-Disclosure] Bypassing Black Ice PC protection?"

Previous message: Michael Scheidell: "Re: [Snort-sigs] Snort Signatures for LSD-PL.NET Exploit"
In reply to: Boyko, Steve: "CANADA.EXE program"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, Mar 11, 2003 at 11:49:44AM -0400, Boyko, Steve wrote:
> One of the people in my office told me he noticed the CPU usage on his
> machine was pegged at 100% and Task Manager showed it was an executable
> CANADA.EXE that was consuming the time.  (he is running a Windows 2000
> laptop)
> 
> I looked at his PC and found that the program CANADA.EXE, from C:\Program
> Files\Dialers\Canada\Canada.EXE, was indeed pegged at 100% CPU utilization,
> although it didn't seem like it was slowing the system down much.
> 
> I copied the executable off, then removed it from his registry
> (HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Windows/CurrentVersion/Run).
> 
> I examined the executable using Strings from www.sysinternals.com but found
> nothing unusual except that it appears to be a Visual Basic program, based
> on the file properties (it has strings such as VS_VERSION_INFO, Comments,
> CompanyName, FileDescription, etc. which have blank values).  The list of
> imported DLLs at the end show that it does use network-related code, such as
> URLMON.DLL, WININET.DLL, and WSOCK32.DLL.
> 
> There are no ASCII or Unicode strings of note except for a portion that
> seems to start with "This executable", but it is garbled.  The file size is
> 68,096 bytes.
> 
> I Googled for it and saw it was mentioned in a list of known Start-Up
> Applications (http://www.pacs-portal.co.uk/startup_pages/startup_full.htm)
> with a comment "Known to be a dialler - but is it maliscous or clean?".

Not specifically.  There are a series of "You need to download this
dialer application to access our really great porn" programs.  A good
many are trojaned, and some are known viruses.  If you are feeling
lazy, submit the program to your virus scanner vendor and have them
look at it (that is why you pay them money each year).  They might
even add a signature for the program, making finding it next time
super easy.
-----------------------------------------------------------------------
   __o		Bradley Arlt			Security Team Lead
 _ \<_		arltat_private		University Of Calgary
(_)/(_) 	I should be biking right now.	Computer Science


----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>

Next message: Darwin: "Re: [Full-Disclosure] Bypassing Black Ice PC protection?"
Previous message: Michael Scheidell: "Re: [Snort-sigs] Snort Signatures for LSD-PL.NET Exploit"
In reply to: Boyko, Steve: "CANADA.EXE program"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Mar 11 2003 - 09:59:59 PST