Randomly generated files in %temp% folder when Outlook receives messages

[mercadmin]

Hi all,

I was recently clearing out temp files on the computers here at work and came across two users who have strange files in their %Temp% folder. One is on XP and the path is C:\Documents and Settings\<userprofile>\Local Settings\Temp. The other is on Vista and the path is C:\Users\<userprofile>\AppData\Local\Temp. Most of our users run with limited rights but these two users run programs that require them to have local admin rights. The suspicious looking files are as follows:

s2j0.1o
s2j0.2
s2j0.3
s2j0.4
s2j0.5
s2j0.6
s2j0.7
s2j0.8
s2j0.9
s2j0.a
s2j0.b
s2j0.c
s2j0.d
s2j0.e

etc,etc.

I cannot delete these files as they come up as accessed denied. But I copied one of the files to the desktop of the afflicted computer and changed the extension to a .txt. When I opened the file it was a copy of an email message that had come into Outook that day. Every one of these files that I open is a copy of an email received into Outlook. I sent a test message to the afflicted computer and as soon as it received the message a new file was created in the %temp% directory with the same nomenclature and the next available serialized extension. I tested a few other systems and none of the other computers exhibit this same behavior when Outlook receives messages. Every day the filenames will change to some other 3-5 random letter and number combination but the extensions are always .a, .b, .c, .d, .e, .f, etc and .1, .2, .3, .4, .5 etc and are always copies of email messages. Does anyone have an explanation as to what this could be? I'm assuming it is virus related but Symantec, MalwaryBytes, and Sophos Anti-Rootkit scans are clean.

Any help or insight would be greatly appreciated.

Thanks!

[DavidGP]

Hi

What is the original extention of these files? its not a .exe is it by any chance as if so I would suspect malware. I cannto say I've ever noticed Outlook save copies of emails like that in temp folder with those extentions.

What you could do is to follow the below guide and start a new thread in malware for our malware experts to review and see what they think

Quote:

Please read and follow the following READ & RUN ME FIRST. Malware Removal Guide and once finished please start a new thread in the Malware Forum plus a guide on how to attach the logs HOW TO: Attach Items To Your Post

[mercadmin]

The files are showing up in the %temp% folder whenever a new message is received in Outlook. The filename and extension doesn't change after it is created. But there is a definite pattern to the extensions as these files are generated. They go in order numerically and then alphabetically. Here is an example of the emails that came in this morning and the filenames and extensions that were created:

1st email: s3s8
2nd email: s3s8.1
3rd email: s3s8.2
4th email: s3s8.3
5th email: s3s8.4
6th email: s3s8.5
7th email: s3s8.6
8th email: s3s8.7
9th email: s3s8.8
10th email: s3s8.9
11th email: s3s8.a
12th email: s3s8.b
13th email: s3s8.c

I wasn't going to post to the malware forum yet as I wasn't sure if that is what is causing the behavior. I've tried lots of google searching but can't seem to find anything similar to what I'm experiencing.

[collinsl]

Quote:

Originally Posted by mercadmin

The files are showing up in the %temp% folder whenever a new message is received in Outlook. The filename and extension doesn't change after it is created. But there is a definite pattern to the extensions as these files are generated. They go in order numerically and then alphabetically. Here is an example of the emails that came in this morning and the filenames and extensions that were created:

1st email: s3s8
2nd email: s3s8.1
3rd email: s3s8.2
4th email: s3s8.3
5th email: s3s8.4
6th email: s3s8.5
7th email: s3s8.6
8th email: s3s8.7
9th email: s3s8.8
10th email: s3s8.9
11th email: s3s8.a
12th email: s3s8.b
13th email: s3s8.c

I wasn't going to post to the malware forum yet as I wasn't sure if that is what is causing the behavior. I've tried lots of google searching but can't seem to find anything similar to what I'm experiencing.

I do agree with halo that you should go through the malware forum, if not just for being certified clean. This will close off one avenue of exploration.

[mercadmin]

Ok, thanks for the suggestions. Because these computers are in use all day I will have to schedule a time when I can run through the process of creating all the logs needed. It will probably be next week sometime.

Thanks again!