Randomly generated files in %temp% folder when Outlook receives messages

Discussion in 'Software' started by mercadmin, May 27, 2010.

  1. mercadmin

    mercadmin Private E-2

    Hi all,

    I was recently clearing out temp files on the computers here at work and came across two users who have strange files in their %Temp% folder. One is on XP and the path is C:\Documents and Settings\<userprofile>\Local Settings\Temp. The other is on Vista and the path is C:\Users\<userprofile>\AppData\Local\Temp. Most of our users run with limited rights but these two users run programs that require them to have local admin rights. The suspicious looking files are as follows:

    s2j0.1o
    s2j0.2
    s2j0.3
    s2j0.4
    s2j0.5
    s2j0.6
    s2j0.7
    s2j0.8
    s2j0.9
    s2j0.a
    s2j0.b
    s2j0.c
    s2j0.d
    s2j0.e

    etc,etc.

    I cannot delete these files as they come up as accessed denied. But I copied one of the files to the desktop of the afflicted computer and changed the extension to a .txt. When I opened the file it was a copy of an email message that had come into Outook that day. Every one of these files that I open is a copy of an email received into Outlook. I sent a test message to the afflicted computer and as soon as it received the message a new file was created in the %temp% directory with the same nomenclature and the next available serialized extension. I tested a few other systems and none of the other computers exhibit this same behavior when Outlook receives messages. Every day the filenames will change to some other 3-5 random letter and number combination but the extensions are always .a, .b, .c, .d, .e, .f, etc and .1, .2, .3, .4, .5 etc and are always copies of email messages. Does anyone have an explanation as to what this could be? I'm assuming it is virus related but Symantec, MalwaryBytes, and Sophos Anti-Rootkit scans are clean.

    Any help or insight would be greatly appreciated.

    Thanks!
     
  2. DavidGP

    DavidGP MajorGeeks Forum Administrator - Grand Pooh-Bah Staff Member

    Hi

    What is the original extention of these files? its not a .exe is it by any chance as if so I would suspect malware. I cannto say I've ever noticed Outlook save copies of emails like that in temp folder with those extentions.

    What you could do is to follow the below guide and start a new thread in malware for our malware experts to review and see what they think

     
  3. mercadmin

    mercadmin Private E-2

    The files are showing up in the %temp% folder whenever a new message is received in Outlook. The filename and extension doesn't change after it is created. But there is a definite pattern to the extensions as these files are generated. They go in order numerically and then alphabetically. Here is an example of the emails that came in this morning and the filenames and extensions that were created:

    1st email: s3s8
    2nd email: s3s8.1
    3rd email: s3s8.2
    4th email: s3s8.3
    5th email: s3s8.4
    6th email: s3s8.5
    7th email: s3s8.6
    8th email: s3s8.7
    9th email: s3s8.8
    10th email: s3s8.9
    11th email: s3s8.a
    12th email: s3s8.b
    13th email: s3s8.c

    I wasn't going to post to the malware forum yet as I wasn't sure if that is what is causing the behavior. I've tried lots of google searching but can't seem to find anything similar to what I'm experiencing.
     
  4. collinsl

    collinsl MajorGeek

    I do agree with halo that you should go through the malware forum, if not just for being certified clean. This will close off one avenue of exploration.
     
  5. mercadmin

    mercadmin Private E-2

    Ok, thanks for the suggestions. Because these computers are in use all day I will have to schedule a time when I can run through the process of creating all the logs needed. It will probably be next week sometime.

    Thanks again!
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds