Re: suspicious little link...

• From: Tyler Littlefield <tyler@xxxxxxxxxxxxx>
• To: programmingblind@xxxxxxxxxxxxx
• Date: Sat, 04 Sep 2010 20:17:18 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Laura,
I just did a bit more research for you, and came across this--I'll just
quote the forum post.
It seems as if you can drag a file to the icon and it will upload. so
that .lnk you found was just to allow people to drag it to that icon.
So it's not a trogen, just blocking the confirmation.
Also, you don't need to go to the registry to unhide filetypes. just go
to tools and folder options in any folder, then go to the view tab, and
go to hide extentions for known filetypes.
Anyway, the promised post:
For the benefit of anyone stumbling on this topic in the future:
Simply appending /defaults to the commandline in the shortcut will fail.
It will cause the shortcut to change behavior from bringing up the
confirmation dialog, uploading (after user input) and exiting.. to
simply opening the program, not touching the file.

Instead, place the /defaults switch before the /uploadifany switch. The
latter actually takes a parameter (just like /upload) and so you have to
act accordingly.

It's odd that the program creates the shortcut with the /uploadifany
switch when there isn't any documentation on it anywhere, as far as I
can tell - even googling the entire internet only turns up 3 irrelevant
results - two in German, one in Japanese. AFAICT, /uploadifany is simply
a version of /upload that does not return an error if it's used without
a file list present.


HTH,
- -- 
Thanks,
Tyler Littlefield

On 9/4/2010 8:02 PM, Katherine moss wrote:
> I think it's a Trojan, dude.  Scan your computer with
> www.eset.com/onlinescan.  That should tell you unless they were silly enough
> to overlook it.  And also, check the directories that WinCP puts on your
> system.  You could have just been unaware of it.  
> 
> -----Original Message-----
> From: programmingblind-bounce@xxxxxxxxxxxxx
> [mailto:programmingblind-bounce@xxxxxxxxxxxxx] On Behalf Of qubit
> Sent: Friday, September 03, 2010 11:45 PM
> To: bprogramming
> Subject: suspicious little link...
> 
> Hi all --
> Could someone tell me if this is part of an attack and if so, how do I rid 
> my computer of it?
> I was cleaning off my desktop of old files and discovered a file with the 
> name of " .lnk" (note that .lnk indicates it is a shortcut. I have fiddled 
> with the registry to unhide all extensions in windows explorer.)
> Note that the above shortcut has the base name of a single space.  I looked 
> at the properties to see what this thing was pointing to, and found the 
> following.
> target: c:\program files\WinSCP\WinSCP.exe /UploadIfAny
> 
> I did in fact install WinSCP some time ago, but I was not aware of a little 
> shortcut named space uploading who-knows-what.
> I don't know the target server of the upload or the directory on my machine 
> that it would look at.
> 
> I wouldn't be surprised if there was a trojan on this laptop as I have 
> indiscriminantly installed a number of programs, but given the suspicious 
> appearance of this shortcut I fear there are data files being compromised.
> My machine is running xp pro, but I don't have server software running on 
> it.
> So does anyone recognize this file? Could it be legitimate? Where would I 
> look for related files?
> 
> I suppose the admin logs would shed light on any uploads.
> Thanks.
> --le
> 
> __________
> View the list's information and change your settings at 
> //www.freelists.org/list/programmingblind
> 
>  
> 
> __________ Information from ESET NOD32 Antivirus, version of virus signature
> database 5423 (20100904) __________
> 
> The message was checked by ESET NOD32 Antivirus.
> 
> http://www.eset.com
>   
> 
> __________ Information from ESET NOD32 Antivirus, version of virus signature
> database 5423 (20100904) __________
> 
> The message was checked by ESET NOD32 Antivirus.
> 
> http://www.eset.com
>  
>  
> 
> __________ Information from ESET NOD32 Antivirus, version of virus signature
> database 5423 (20100904) __________
> 
> The message was checked by ESET NOD32 Antivirus.
> 
> http://www.eset.com
>  
> 
> __________
> View the list's information and change your settings at 
> //www.freelists.org/list/programmingblind
> 
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJMgv2uAAoJELDPyrppriJP3+wIALkVixuoKk7+yOpQQQe52qGz
1b/n2HgIX5omXkBXvT7IX40uNZEncrR5s5IJBgeh1J0B62Olc2vbl4Ju9Igv6BiK
G9fqEIOwsO4MhmHe1DlDwI1vBCXR8KM/jSiweMz63FmIHklUrAQZEFe0SrTmHnOO
FU4jKlNCoUsK20UDs5Nfw9fGTEzigCmAHwqAF/it/9iF/Vnl6dICm2vUdk7KTuDQ
MYyxbnyAb3aH0KuwBBKdN1ELrQVy3i5T4IWKH7ZEt55WXX7xtmZerGlWC+EyCeH2
EJJGFz8FkdD0xEvkbMNtjuZLpUhHUw0JdDFwJngPceWENeQTA9koXIT1v8de2u8=
=jbrd
-----END PGP SIGNATURE-----
__________
View the list's information and change your settings at 
//www.freelists.org/list/programmingblind

• Follow-Ups:
  • Re: suspicious little link...
    • From: qubit

• References:
  • suspicious little link...
    • From: qubit
  • RE: suspicious little link...
    • From: Katherine moss

Other related posts:

• » suspicious little link...- qubit
• » RE: suspicious little link...- Katherine moss
• » Re: suspicious little link...- Tyler Littlefield
• » Re: suspicious little link... - Tyler Littlefield
• » Re: suspicious little link...- qubit
• » Re: suspicious little link...- qubit
• » Re: suspicious little link...- Tyler Littlefield
• » Re: suspicious little link...- Tyler Littlefield
• » RE: suspicious little link...- Katherine moss
• » Re: suspicious little link...- Trouble
• » Re: suspicious little link...- qubit

1. Home
2. programmingblind
3. Archive
4. 09-2010

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---