jtgerdes
asked on
"Ghost" typing incident - virus?
Very odd thing happened to a client of mine a couple days ago and I have not been able to find anything searching on it. He was typing an email in his email client (GoldMine 6.7 Corporate edition) and all of a sudden, "someone" else was typing as well. Here is the email that was being typed: (ghost typing is inside *** markers)
Dear Ana,
Please s***He's in news in*** ee the attached file for a corrected universal life (UL) policy. I noticed an the error on the version I left with you last Thursday. You will see that the recommend funding is $2,567 and th***>you still see the design of the UCLA designs and he's no of one) . This new study on the site in the year , the navy officer is based on the island in this new diet and you're looking at this is really weird that will license that will allow you to fill the activity at centennial of my youngest of this happening at the beginning of an incentive to stay home and the answer on radio in this case where the 7.77 billion yen, and I had my e-mail to one of the best in the San Jose ....................***e min. $1,366. As I mention if you select the UL you will want to funding the recommended vs term insurance which is less costly.
You ***city and all the U.S. and Japan*** can have a buy-up rider that will allow the purchase of an additional $45,000 in insurance without underwriting. But I would decline on this rider, it's not worth the cost for the little additional coverage . We can just re-issue a new policy in the future or increase this policy's death benefit.
Thanks,
Paul
Notice how the ghost typing seems to be random phrases stuck together. I have not been able to look at the computer yet as he has not been available, but when I do, I'd like to have something to look for, but right now I really have no ideas other than it could be some virus. Thanks.
Dear Ana,
Please s***He's in news in*** ee the attached file for a corrected universal life (UL) policy. I noticed an the error on the version I left with you last Thursday. You will see that the recommend funding is $2,567 and th***>you still see the design of the UCLA designs and he's no of one) . This new study on the site in the year , the navy officer is based on the island in this new diet and you're looking at this is really weird that will license that will allow you to fill the activity at centennial of my youngest of this happening at the beginning of an incentive to stay home and the answer on radio in this case where the 7.77 billion yen, and I had my e-mail to one of the best in the San Jose ....................***e min. $1,366. As I mention if you select the UL you will want to funding the recommended vs term insurance which is less costly.
You ***city and all the U.S. and Japan*** can have a buy-up rider that will allow the purchase of an additional $45,000 in insurance without underwriting. But I would decline on this rider, it's not worth the cost for the little additional coverage . We can just re-issue a new policy in the future or increase this policy's death benefit.
Thanks,
Paul
Notice how the ghost typing seems to be random phrases stuck together. I have not been able to look at the computer yet as he has not been available, but when I do, I'd like to have something to look for, but right now I really have no ideas other than it could be some virus. Thanks.
ASKER
Yeah that's what I told him to do - take it off the network. And when I get a chance to look at the computer the first thing I'll do is run a virus scan, but I was wondering if anyone has seen this specific issue and had any insight into what it could be. Thanks.
That's a new one. Don't have a clear answer but it does seem like one of those spam bots that may be generating random phrases and somehow (perhaps by accident) those are getting mixed into your client's email. Will be very interesting to see what it turns out to be. Please do post an update.
He isn't running VNC or some similar remote control software, by any chance?
He isn't running VNC or some similar remote control software, by any chance?
ASKER
Well I still haven't gotten a chance to look at it. I had told them to run a virus scan on it when they first told me about it and in talking to them today that apparently found some viruses but they didn't know which ones. If I ever get to look at it or they still have issues with it, I'll post an update.
Is your client using a wireless keyboard? My guess is that they are. I have seen a very similar scenario a few times. Each time the user has been using a wirelss keyboard, somebody in an adjoining office also had a wireless keyboard (or mouse with pointer movements being taken over), and it was intercepting a neighboring wireless keyboard / mouse that uses the same frequency.
If on a wireless keyboard, replace with a wired keyboard to see if the problem goes away. If that is the problem and the user wants to continue using a wireless keyboard get one with a shorter range.
If on a wireless keyboard, replace with a wired keyboard to see if the problem goes away. If that is the problem and the user wants to continue using a wireless keyboard get one with a shorter range.
GuruGary - very interesting. Obvious once you explain it!
ASKER
Actually I can pretty much guarantee that that is not the issue - you have to look at what the "ghost" typed. If it actually flowed and made sense then that could be a very logical explanation. However, if you look at it, it is a bunch of nonrelated phrases put together in one long string. Much more typical of a spambot virus than a diligent coworker in the next cubicle over.
well if the signal was dropping off and on then it would explain the nonrelated phrases. But i would think it was trojan/virus. what os is the client running? type of antivirrus? firewall enabled?
Hmm, quite interesting. In the paranoid corner of this issue there might be a malfunctioning keylogger releasing some of its content to the machine.
Im at a Uni where keyloggers actually have been found in the student PC rooms.
http://www.keylogger-hrd.com/
Im at a Uni where keyloggers actually have been found in the student PC rooms.
http://www.keylogger-hrd.com/
Did you ever find out if the PC was using a wireless keyboard? That is still my guess, as I have seen the same scenario more than once.
ASKER
I like the hardware keylogger idea - that's a new one to me, never heard of them before.
Without having the luxury of actually seeing the computer(the client is in Houston and I'm in the midwest) or being able to log in to look at it (they're like "it's working now so we don't have the time for you to login"), my opinion is that it was a trojan gone wacko. If you look at the email that was being typed (at the very top of the thread), you will notice that multiple disconnected phrases are inserted in the middle of a word. So it's not like he finished a paragraph or even a sentence and then his neighbor's wireless keyboard was typing away on his PC in the mean time. You really have to study the example to see it, but when you do I really think it's quite obvious that it's a mass emailing virus or trojan gone wacky.
Without having the luxury of actually seeing the computer(the client is in Houston and I'm in the midwest) or being able to log in to look at it (they're like "it's working now so we don't have the time for you to login"), my opinion is that it was a trojan gone wacko. If you look at the email that was being typed (at the very top of the thread), you will notice that multiple disconnected phrases are inserted in the middle of a word. So it's not like he finished a paragraph or even a sentence and then his neighbor's wireless keyboard was typing away on his PC in the mean time. You really have to study the example to see it, but when you do I really think it's quite obvious that it's a mass emailing virus or trojan gone wacky.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The first thing I would do is run an AV scan and Spyware scan on the PC. Maybe consider removing it from the network too as if its spamming keystrokes it may be divulging important information out.
Once you have removed any spyware/malware/virus/troj
Wadski