Americas

  • United States

Drop kicking the Eggdrops

Opinion
Nov 24, 20032 mins
Networking

Your  recent column on Eggdrop bots  was timely. We have a client that keeps getting Eggdrops installed on it. In the most recent case you could tell they were there only by the log files and by the fact that when you emptied the Recycle Bin it complained that directories that did not show up in the listing were not empty and could not be removed. Is there any way under Windows to reveal these directories without booting into Linux?

Sometimes you can see parts of the directories if Windows is set to show all system and hidden files. Using Search to look for files also seems to work.

All the Eggdrops we’ve found so far include fport.exe, tlist.exe, plist.exe and pskill.exe. Sometimes Norton and McAfee will pick up an infection in csrss or Explorer.

Do a Google search on “aysshell.exe” for links to variations on the theme that several universities have documented.

Use the free Process Explorer available at www.sysinternals.com to show a tree view of the running processes and files they have open. Even if Eggdrops are installed under svchost, you can see the net commands being issued by the Trojan. From there, you can kill the process and hunt down the files.