Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

"Ghost" typing incident - virus?

Posted on 2006-06-21
14
Medium Priority
?
986 Views
Last Modified: 2013-12-04
Very odd thing happened to a client of mine a couple days ago and I have not been able to find anything searching on it.  He was typing an email in his email client (GoldMine 6.7 Corporate edition) and all of a sudden, "someone" else was typing as well.  Here is the email that was being typed: (ghost typing is inside *** markers)

Dear Ana,
 
Please s***He's in news in*** ee the attached  file for a corrected universal life (UL) policy.  I noticed an the error on the version I left with you last Thursday.   You will see that the recommend funding is $2,567 and th***>you still see the design of the UCLA designs and he's no of one) . This new study on the site in the year , the navy officer is based on the island in this new diet and you're looking at this is really weird that will license that will allow you to fill the activity at centennial of my youngest of this happening at the beginning of an incentive to stay home and the answer on radio in this case where the 7.77 billion yen, and I had my e-mail to one of the best in the San Jose ....................***e min. $1,366.  As I mention if you select the UL you will want to funding the recommended vs term insurance which is less costly.
 
You ***city and all the U.S. and Japan*** can have a buy-up rider that will allow the purchase of an additional $45,000 in insurance without underwriting.  But I would decline on this rider, it's not worth the cost for the little additional coverage .   We can just re-issue a new policy in the future or increase this policy's death benefit.
 
Thanks,
Paul

Notice how the ghost typing seems to be random phrases stuck together.  I have not been able to look at the computer yet as he has not been available, but when I do, I'd like to have something to look for, but right now I really have no ideas other than it could be some virus.  Thanks.
0
Comment
Question by:jtgerdes
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
  • 2
  • +4
14 Comments
 
LVL 16

Expert Comment

by:Wadski
ID: 16955399
Hi there jtgerdes,

The first thing I would do is run an AV scan and Spyware scan on the PC.  Maybe consider removing it from the network too as if its spamming keystrokes it may be divulging important information out.

Once you have removed any spyware/malware/virus/trojon on there leave it and see if it happens again.

Wadski
0
 

Author Comment

by:jtgerdes
ID: 16955597
Yeah that's what I told him to do - take it off the network.  And when I get a chance to look at the computer the first thing I'll do is run a virus scan, but I was wondering if anyone has seen this specific issue and had any insight into what it could be.  Thanks.
0
 
LVL 32

Expert Comment

by:r-k
ID: 16955981
That's a new one. Don't have a clear answer but it does seem like one of those spam bots that may be generating random phrases and somehow (perhaps by accident) those are getting mixed into your client's email. Will be very interesting to see what it turns out to be. Please do post an update.

He isn't running VNC or some similar remote control software, by any chance?

0
Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

 

Author Comment

by:jtgerdes
ID: 16961641
Well I still haven't gotten a chance to look at it.  I had told them to run a virus scan on it when they first told me about it and in talking to them today that apparently found some viruses but they didn't know which ones.  If I ever get to look at it or they still have issues with it, I'll post an update.
0
 
LVL 10

Expert Comment

by:GuruGary
ID: 16966351
Is your client using a wireless keyboard?  My guess is that they are.  I have seen a very similar scenario a few times.  Each time the user has been using a wirelss keyboard, somebody in an adjoining office also had a wireless keyboard (or mouse with pointer movements being taken over), and it was intercepting a neighboring wireless keyboard / mouse that uses the same frequency.

If on a wireless keyboard, replace with a wired keyboard to see if the problem goes away.  If that is the problem and the user wants to continue using a wireless keyboard get one with a shorter range.
0
 
LVL 32

Expert Comment

by:r-k
ID: 16966498
GuruGary - very interesting. Obvious once you explain it!
0
 

Author Comment

by:jtgerdes
ID: 16968677
Actually I can pretty much guarantee that that is not the issue - you have to look at what the "ghost" typed.  If it actually flowed and made sense then that could be a very logical explanation.  However, if you look at it, it is a bunch of nonrelated phrases put together in one long string.  Much more typical of a spambot virus than a diligent coworker in the next cubicle over.
0
 
LVL 1

Expert Comment

by:Sentinel8o
ID: 16986911
well if the signal was dropping off and on then it would explain the nonrelated phrases. But i would think it was trojan/virus. what os is the client running? type of antivirrus? firewall enabled?
0
 
LVL 3

Expert Comment

by:ola_erik
ID: 17142107
Hmm, quite interesting. In the paranoid corner of this issue there might be a malfunctioning keylogger releasing some of its content to the machine.

Im at a Uni where keyloggers actually have been found in the student PC rooms.

http://www.keylogger-hrd.com/
0
 
LVL 10

Expert Comment

by:GuruGary
ID: 17147332
Did you ever find out if the PC was using a wireless keyboard?  That is still my guess, as I have seen the same scenario more than once.
0
 

Author Comment

by:jtgerdes
ID: 17148558
I like the hardware keylogger idea - that's a new one to me, never heard of them before.

Without having the luxury of actually seeing the computer(the client is in Houston and I'm in the midwest) or being able to log in to look at it (they're like "it's working now so we don't have the time for you to login"), my opinion is that it was a trojan gone wacko.  If you look at the email that was being typed (at the very top of the thread), you will notice that multiple disconnected phrases are inserted in the middle of a word.  So it's not like he finished a paragraph or even a sentence and then his neighbor's wireless keyboard was typing away on his PC in the mean time.  You really have to study the example to see it, but when you do I really think it's quite obvious that it's a mass emailing virus or trojan gone wacky.
0
 

Accepted Solution

by:
ee_ai_construct earned 0 total points
ID: 17399838
PAQ / Refund
ee ai construct, community support moderator
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
OfficeMate Freezes on login or does not load after login credentials are input.
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question