Intrestingly, my work was attacked recently and the server admin password was changed. Last summer I'd got a new PC and there was no personal firewall installed by IT on it. After the server was attacked, finally personal firewalls were installed on the PC's.

I'd had an incident where the computer rebooted itself some time ago which then meant that pressing CTRL+ALT+DEL didn't bring up the task manager. IT Dept never did anything about it but just made a shortcut to task manager on the desktop.

MSM kept popping up in the sys tray and ever time I tried to close it, it said it was in use and couldn't be closed. Minor annoyance and didn't stop me working.

After installation of the firewall, it was going bananas and kept trying to get out the firewall alarm was going mad as I had blocked it's outside access.

Doing some digging on it revealed it was a second copy of MSM that had been altered and placed in a new directory. Digging a bit further into it revealed it was an SMTP client; instead of using my email address though it seemed like a direct client. The user had full access to my machine it seems and had dumped a load of composed emails on the server to be sent out via my machine.

No more investigation was done on this after we used safe mode to remove the files from the directory (I requested they don't be deleted and should send them to symmantec soon) and since removal, we've had no more incidents of viruses and random crashes on other machines

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/4217/19696#19696