Reporting new spyware
When setting up the network at the new house I fired up each machine to test out connectivity and other behaviour before putting it back on the network. One of the laptops was behaving a bit oddly so I put it to one side for further examination and carried on with the rest. The area where the computers are located is a real pain though as there is only one power point - Something that will need to be fixed as I need about 30 power points for the kit!
Looking at the laptop I went through some standard checks to see what was running at startup and so on, Nothing unusual popped out so I looked deeper into the services and once service I tried to disable gave me error so I had a look in the registry to find it calls itself tixqvawf in the registry and goes by a host of different names when you delete it.
I dug further and found that it launches a DLL called bkldbkl.dll which I sent off to Sophos and McAfee for analysis - Now this is where it get's interesting.
Sophos replied within 48 hours to say that it was spyware and that they would be issuing an IDE update would to cover it and the link is
McAfee sent back an automated reply to say that an AVERT researcher would be looking into it because the automated test could not find a match. Further down it said that automated testing would only occur if the original sample was in a password protected zip and that a researcher would only look into it if that was the case but the one I sent wasn't.
So now I've got two pieces of conflicting information.
I assume that because McAfee have not bothered to get back to me they require a password protected zip file but it's annoying that the sample wasn't rejected because it wasn't password protected. All a bit silly really and McAfeehere.
Subscribe to Ramblings of a Sysadmin
Get the latest posts delivered right to your inbox