Strange .exe files appearing under c:\windows\temp\ when logging in via Terminal Services
Posted on 2008-10-19
The server which is used as domain controller/file server has had a major infection of viruses & trojans and I seem to have become overly suspicious after the whole ordeal... Two weeks ago we seemed to have gotten rid of all the nasty bits of software.
Anyways the other day when I was looking in the c:\windows\temp\ folder I saw perhaps 20 .exe files all having 4 digits in their name e.g. 1388.exe and being for kb big. I decided to delete them and then F-Secure prompted stating that this and that file contains a trojan. About five of the files where infected and I don't know whether they were recently infected or leftovers from when the server had various infections.
I noticed that a new .exe file is created each time you log into the server using Terminal Services. Repeated logins after that only modifies the file's modification attribute. I opened the 3 files that were there today using Textpad in binary mode and they all contained what seemed like an IP number and port. I don't have the specific number right now but it was something like 54.xxx.xxx.xxx:339. I think it started with 54 but the others I don't remember.
What is this, anyone have any idea?