FYI: A/V update, Wordpad CLSID folder w/ctfmon.exe

Discussion in 'Virus Information' started by NT Canuck, Jan 7, 2010.

  1. NT Canuck

    NT Canuck Guest

    FYI

    re-incarnation of ctfmon.exe

    Location
    C:\Documents and Settings\All Users\WordPad

    Threat
    Uses a folder named with a registry CLSID
    Created (so far as I can find) by "setup" wrappers
    that have been tampered with remotely on a per
    location (remote) or download link (misc).

    Action
    Contacts external (remote) url's (likely 4 or more),
    typically by using a ctfmon.exe (appears as a legitimate
    and signed by MS 6-8kb file, the real one is in /system32).
    As a legitimate appearing MS file many firewall/A/v may
    let it online/through untethered if 'trust' MS is enabled.
    (can be noted by check online status/live connections
    and inspected via packet monitoring, may get past some
    that allow trusted MS files or don't monitor those)

    Remedy
    Stop the process in task manager, and cut/delete file/folder.
    The A/V's should have been updated yesterday with this
    but if you find one of those little stinkers..then upload it
    to your A/V online feedback/repository.

    Your welcome, hope you don't have it. ;)
     
    NT Canuck, Jan 7, 2010
    #1
    1. Advertisements

  2. NT Canuck

    NT Canuck Guest

    I should note that only the one above (if found) in wordpad
    folder marked with clsid at above noted location should be culled...
    an example of a CLSID 'folder name' (may differ)
    {CFE94FA4-1D21-EF15-B49E-5AF8633BE38A}

    The one in windows/system32/ctfmon.exe should only be
    scanned as that one is part of MS Office and used for
    language changing (little taskbar critter on tray) and
    altering the (I think) keyboard layout for alternate input.
     
    NT Canuck, Jan 7, 2010
    #2
    1. Advertisements

  3. NT Canuck

    NT Canuck Guest

    I would be remiss not to include that on Windows units
    you will need to enter the (on windows pane tools/
    folder_options/view) and set show file extensions
    (by default set to hide extensions on known files)
    also show operating system files (by default set to
    'hide'), and also show hidden files and folders (by
    default MS/Windows hides hidden stuff..and so
    do the malefactors). Then set to apply_all, and
    you'll now see a few more items viewable (in the open).

    There, that feels better, I was a bit worried that folks
    might be hunt/look and not see something because of
    not knowing (or being familiar with) settings I take for
    granted as common knowledge in this forum. ;)

    Also those files that you can see now are mostly very
    important to run or display your OS, they were hidden to
    keep the curious and inept from debilitating themselves.
     
    NT Canuck, Jan 10, 2010
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.