Notice ~ 

Are you searching for our italian Community  Forumzone.it?
Main Menu

"cisideve"??????

Started by Caravel, 28 January 2006, 00:41:09

Previous topic - Next topic

Caravel

I found in a friends windows 2000 computer a highly suspicious system service.  The service has a password and nothing more description wise.  The service is called "cisideve" which appears to be italian, from a quick google search, but neither google babelfish or anything else will translate it.

Your help would be very much appreciated on this one, as I expect it is hacker/trojan activity.

Regards


Caravel
 

benna

i never heard about this service but i can help you with the translation (although i don't think that is usefull)
"cisideve" cannot be translated because it isn't a word
"ci si deve" is a part of a sentence and its translation is: "we have to"..."ourself"
my PC:

AMD Athlon64 3200+ - ASUS K8V-Deluxe - 1GB DDR400 - 3DFX Voodoo 5 5500 PCI



3DAnalyze user guide:  https://www.3dfxzone.it/dir/articles/3d_analyze_user_guide/

Caravel

Many thanks benna.  The service, as I suspected, appears to be a program made by a script kiddy using Firedaemon, a program which allows an app to run as a win32 service.  The service was there to allow a hacker to enter but it seems that the hacker failed to pull it off successfully as the file that the service entry points to doesn't exist.  This is spread via a trojan called "Nabload.U" that users are tricked into downloading via microsoft's crappy msn messenger service.  I believe it is spread by executable file links that suddenly appear in your conversations.  It mainly effects spanish speaking msn users.  The files tend to be called something like "foto.exe" or "imagen.exe".  This triggers the download of another file called "navupdt.exe" which copies itself to the system32 folder and creates another folder called "services" containing "services.exe".  This seems to allow access to the hacker allows them to create a service on your system to allow full remote access.

This piece of malware is fairly new, late last year, as AVG didn't identify it at first and I had to update the persons AVG, which was about 3 weeks out of date, before it would identify it.

Regards


caravel