Re: suspicious little link...

• From: "qubit" <lauraeaves@xxxxxxxxx>
• To: <programmingblind@xxxxxxxxxxxxx>
• Date: Sat, 4 Sep 2010 21:56:19 -0500

Tyler --
Thanks for the little bit of research.
I still don't like a link with no text... but there is one thing I need to 
say yet again for the dozenth time -- the folder options view settings don't 
unhide all file types. There are many system specific ones, like .pif, .lnk, 
and some others, that are still hidden.  Not knowing this caused me a big 
headache the first time my machine got infected with a virus.  I infected it 
by opening a file called fun.mp3.  It's real name was fun.mp3.pif and it was 
a little piece of software that took me a week and some sighted assistance 
to remove.
If you go to the registry and search for all lines containing the word 
NEVERSHOWEXT and delete those lines and save the registry, you will suddenly 
see all kinds of stuff that you probably didn't notice before. Now this is 
on XP. My win7 machine is newer and I haven't done the "surgery" on it as 
yet. I'm going to see if I can get along without it. But the point is, 
folder options are not enough.
Happy hacking.
--le

----- Original Message ----- 
From: "Tyler Littlefield" <tyler@xxxxxxxxxxxxx>
To: <programmingblind@xxxxxxxxxxxxx>
Sent: Saturday, September 04, 2010 9:17 PM
Subject: Re: suspicious little link...


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Laura,
I just did a bit more research for you, and came across this--I'll just
quote the forum post.
It seems as if you can drag a file to the icon and it will upload. so
that .lnk you found was just to allow people to drag it to that icon.
So it's not a trogen, just blocking the confirmation.
Also, you don't need to go to the registry to unhide filetypes. just go
to tools and folder options in any folder, then go to the view tab, and
go to hide extentions for known filetypes.
Anyway, the promised post:
For the benefit of anyone stumbling on this topic in the future:
Simply appending /defaults to the commandline in the shortcut will fail.
It will cause the shortcut to change behavior from bringing up the
confirmation dialog, uploading (after user input) and exiting.. to
simply opening the program, not touching the file.

Instead, place the /defaults switch before the /uploadifany switch. The
latter actually takes a parameter (just like /upload) and so you have to
act accordingly.

It's odd that the program creates the shortcut with the /uploadifany
switch when there isn't any documentation on it anywhere, as far as I
can tell - even googling the entire internet only turns up 3 irrelevant
results - two in German, one in Japanese. AFAICT, /uploadifany is simply
a version of /upload that does not return an error if it's used without
a file list present.


HTH,
- -- 
Thanks,
Tyler Littlefield

On 9/4/2010 8:02 PM, Katherine moss wrote:
> I think it's a Trojan, dude.  Scan your computer with
> www.eset.com/onlinescan.  That should tell you unless they were silly 
> enough
> to overlook it.  And also, check the directories that WinCP puts on your
> system.  You could have just been unaware of it.
>
> -----Original Message-----
> From: programmingblind-bounce@xxxxxxxxxxxxx
> [mailto:programmingblind-bounce@xxxxxxxxxxxxx] On Behalf Of qubit
> Sent: Friday, September 03, 2010 11:45 PM
> To: bprogramming
> Subject: suspicious little link...
>
> Hi all --
> Could someone tell me if this is part of an attack and if so, how do I rid
> my computer of it?
> I was cleaning off my desktop of old files and discovered a file with the
> name of " .lnk" (note that .lnk indicates it is a shortcut. I have fiddled
> with the registry to unhide all extensions in windows explorer.)
> Note that the above shortcut has the base name of a single space.  I 
> looked
> at the properties to see what this thing was pointing to, and found the
> following.
> target: c:\program files\WinSCP\WinSCP.exe /UploadIfAny
>
> I did in fact install WinSCP some time ago, but I was not aware of a 
> little
> shortcut named space uploading who-knows-what.
> I don't know the target server of the upload or the directory on my 
> machine
> that it would look at.
>
> I wouldn't be surprised if there was a trojan on this laptop as I have
> indiscriminantly installed a number of programs, but given the suspicious
> appearance of this shortcut I fear there are data files being compromised.
> My machine is running xp pro, but I don't have server software running on
> it.
> So does anyone recognize this file? Could it be legitimate? Where would I
> look for related files?
>
> I suppose the admin logs would shed light on any uploads.
> Thanks.
> --le
>
> __________
> View the list's information and change your settings at
> //www.freelists.org/list/programmingblind
>
>
>
> __________ Information from ESET NOD32 Antivirus, version of virus 
> signature
> database 5423 (20100904) __________
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
> __________ Information from ESET NOD32 Antivirus, version of virus 
> signature
> database 5423 (20100904) __________
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
>
> __________ Information from ESET NOD32 Antivirus, version of virus 
> signature
> database 5423 (20100904) __________
>
> The message was checked by ESET NOD32 Antivirus.
>
> http://www.eset.com
>
>
> __________
> View the list's information and change your settings at
> //www.freelists.org/list/programmingblind
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJMgv2uAAoJELDPyrppriJP3+wIALkVixuoKk7+yOpQQQe52qGz
1b/n2HgIX5omXkBXvT7IX40uNZEncrR5s5IJBgeh1J0B62Olc2vbl4Ju9Igv6BiK
G9fqEIOwsO4MhmHe1DlDwI1vBCXR8KM/jSiweMz63FmIHklUrAQZEFe0SrTmHnOO
FU4jKlNCoUsK20UDs5Nfw9fGTEzigCmAHwqAF/it/9iF/Vnl6dICm2vUdk7KTuDQ
MYyxbnyAb3aH0KuwBBKdN1ELrQVy3i5T4IWKH7ZEt55WXX7xtmZerGlWC+EyCeH2
EJJGFz8FkdD0xEvkbMNtjuZLpUhHUw0JdDFwJngPceWENeQTA9koXIT1v8de2u8=
=jbrd
-----END PGP SIGNATURE-----
__________
View the list's information and change your settings at
//www.freelists.org/list/programmingblind

__________
View the list's information and change your settings at 
//www.freelists.org/list/programmingblind

• Follow-Ups:
  • Re: suspicious little link...
    • From: Tyler Littlefield
  • Re: suspicious little link...
    • From: Trouble

• References:
  • suspicious little link...
    • From: qubit
  • RE: suspicious little link...
    • From: Katherine moss
  • Re: suspicious little link...
    • From: Tyler Littlefield

Other related posts:

• » suspicious little link...- qubit
• » RE: suspicious little link...- Katherine moss
• » Re: suspicious little link...- Tyler Littlefield
• » Re: suspicious little link...- Tyler Littlefield
• » Re: suspicious little link...- qubit
• » Re: suspicious little link... - qubit
• » Re: suspicious little link...- Tyler Littlefield
• » Re: suspicious little link...- Tyler Littlefield
• » RE: suspicious little link...- Katherine moss
• » Re: suspicious little link...- Trouble
• » Re: suspicious little link...- qubit

1. Home
2. programmingblind
3. Archive
4. 09-2010

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---