[ale] windows virus?

Robert Reese ale at sixit.com
Tue Jun 1 15:04:51 EDT 2010


Hello Paul,

Tuesday, June 1, 2010, 5:58:06 AM, you wrote:


> pbc      26683     1  0 May24 ?        00:00:00 C:
> \windows\temp\IXP000.TMP\LS_ISL~2.exe                              

> after killing those processes, I could not find ANY files in my windows/temp
> folder.. ( .wine/drive_c$/windows/temp )

> a google showed LS_ISL~1.exe, but not 2..
> I very rarely use wine for anything, and the last file changes in windows &
> Program Files is from December.


Yes, it looks like a malware first detected back on March 23rd and again around April 7th or 8th.

http://www.prevx.com/filenames/229273247370207858-X1/PRETEE~2.EXE.html


http://www.prevx.com/filenames/X2542718249228048748-X1/LS_ISL~1.EXE.html


http://www.oitc.com/winnow/clamsigs/pages/table60.html



Also, it appeared to have downloaded twice, hence the '2' at the end  rather than a '1'.

IIRC, Wine "automagically" takes over for Windows executables, and the malware was likely therefore launched through an exploit in the browser; a telltale sign is that it was running from a Temp directory.

I doubt it did anything outside of hammer your CPU, however.  Still, I'd make sure there isn't anything new in the Wine startup (if there is one).

Cheers,
Robert~



More information about the Ale mailing list