Defragfat33.exe

[garthg]

On our windows 2000 server this file was in the run part of the registry. I have done searches and found nothing about it. Anybody have any ideals what this file might be?? Its defragfat33.exe and its 83k. Its a dos program, because it opens a dos windows box. We took it out of the registry and everything works fine. Just wanted to see if its something new that is not on the internet search engines yet.

Thanks
GarthG

[craigmodius]

Are you sure it isn't defragfat32.exe as in this virus?

[Jakob Krieger]

On our windows 2000 server this file was in the run part of the registry. I have done searches and found nothing about it. Anybody have any ideals what this file might be?? Its defragfat33.exe and its 83k. Its a dos program, because it opens a dos windows box. We took it out of the registry and everything works fine. Just wanted to see if its something new that is not on the internet search engines yet.

This is a relatively new type of worm, assumedly spreading inside of .doc files (remember - docs can contain macros - use rtf instead). Seems not to bee really destructive, may be just a test for further variants. I have yet also seen a variant "defragfat34.exe" which works similarly. How to get rid: Open regedit, search for "defragfat" (will be found in hklm/software/microsoft/windows/currentversion with a "rundll" entry - delete this entry). Then activate task manager, processes, end process "defragfat33" (if it refuses, re-log in). Then open windows explorer, go to wintendo/system32 and delete "defragfat33.exe". There is no process named "defragfat" on a no-infected system.

Same procedure for defragfat34.

Almost same procedure for defragfat32 - but: this device copies itself several times - just delete all "exe" files that have the same logo as "defragfat32.exe"; common names are e.g. "xyz.exe".

Symantec has not yet published on this one.

"Defragfat33" is a hell of a thing, if it indeed hides in the macro code area of doc files as I presume, seems it infects big companies and organisations and spreads with seemingly harmless text files.

How to escape the threat: Download "wordview" from mickeysoft, make this the default application to open docs, so you can read mailed docs without menace.

How to improve security: Use openoffice.


Anyone feel free to mail me on the topic.


JK

[confus-ed]

He-he-he .. god damned 'thick' search engines ! If you could but search for defragfat?? you can suss that lots of anti-ad packages (do we have any of this running ?) & some av proggies have anti-stuff for the variants of what craigmodius references. But as noted above the renumbering variation is a new twist, most home users sat behind a s/w firewall (which is often absent in corporate environments) should see their firewalls 'whitelisting' side leap into action & ask if this process is allowed ..

[Jakob Krieger]

He-he-he .. god damned 'thick' search engines ! If you could but search for defragfat??

You can. Of course, you can. Only that wildcard characters are not supported.

On the other hand, if you enter "defra" into google, it will find "defragfat3x", too.

Like this:
http://forum.ru-board.com/topic.cgi?...1092&start=720


Fact is, that from the trustworthy sources, information is incomplete. I assume there are many variants of the worms, and for symantec & co., the case is done when there is one variant described.

you can suss that lots of anti-ad packages (do we have any of this running ?) & some av proggies have anti-stuff for the variants of what craigmodius references.

Are these sources trustworthy? If I would program troyans, I'd hide them in anti-badware-packs. Best method to spread them. And, ever downloaded such tools? Do you know the experience seeing a pop-up which says, "this demo tool encountered three infected files that the commercial version could eliminate" - so you pay 89 dollars, wait for three weeks until the software arrives, and you obtain - another outdated scanner.

But as noted above the renumbering variation is a new twist, most home users sat behind a s/w firewall (which is often absent in corporate environments) should see their firewalls 'whitelisting' side leap into action & ask if this process is allowed ..

If you own a good-functioning firewall, then you are as lucky as a person who owns an old Italian car which does NOT rust.

I'd really like to interview a programmer of such worm/troyan/virus things, and afterwards, I'd force him to either open a liquor store in Dubaj or a weight-watchers-centre in West Sahara.