The vptray.exe mystery that I have been
experiencing has been solved. All of you that you
suspected that it was a remote adminstration program,
give yourself a point. If you named RAdmin as the
specific program, give yourself two points. Three
points go to Daniel Floyd, who provided me with the
clue I needed to crack the case.
   Daniel suggested that I run vptray.exe with the
/setup option. I did so, and on my screen
materialized the setup options for the RAdmin server.
As netstat -a confirms, the infected machine is
listening on port 4899. This is the default port for
this program to listen for connections. So it appears
to be beyond doubt that someone simply renamed
r_server.exe to vptray.exe and overwrote the "real"
copy of vptray.exe.
   This is clever in some ways. Since we use
mandatory roaming profiles for all of our users, users
can not add programs to the startup folder. However,
since we were foolish/trusting enough to leave most of
our directories unprotected, some user(s) exploited
this and simply replaced one of the programs that is
already in the startup folder with one of their own,
making sure to rename their program to match ours. If
they had only thought to change the icon of this "new"
program to that of the previous program, we may have
never noticed this.
   Many thanks for everyone's suggestions, help, and
encouragement!

Kevin

__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]