Notepad.exe tries to connect to the internet

[Hausi Tellenbach]

Hi all.

I have Windows XP Professional Build 2600.xpsp2.030422-1633 (Service Pack 1)
with all available Critical Updates and Service Packs from
windowsupdate.microsoft.com and also from officeupdate.microsoft.com.

My personal firewall (KPF 4.0.16) asks me to allow Notepad.exe a connection
to ftp.leo.org [131.159.72.23], Port ftp [21] as soon as I choose "Save
as..." or "Open..." in the notepad.exe...

Notepad.exe to the internet? I remember, there was TROJ_QAZ, but neither the
antivir with actual signatures, nor my investigations in the registry and
folders let me find any part of a trojan or of an other malware. I also
"asked" google, but I couldn't find any hint about this. Also Regedit and
"Search..." "containing ftp.leo.org" didn't let me find a clue.

Yes, I remember: Long time ago I was on ftp://ftp.leo.org/pub/freedb an I
droped the Icon from the IE-Adress Bar as shortcut (freedb.url) to the
desktop - is it possible, this is the reason?

After deleting freedb.url, notepad.exe didn't ask anymore to connect to the
internet - if I place the shortcut again to the desktop, Kerio ask me
again - it's reproducable. I noticed, desktop was the last place I saved a
..txt-file - so I tried to move the freedb.url to My Documents, saved a .txt
there and tried again. Now My Documents was the last place and as soon as I
choosed "Save as..." or "Open..." from notepad.exe, Kerio asked me to allow
notepad.exe to connect to the internet. I've tried it again with a test.url,
which points to a http-site - no connection asked -> only for ftp-sites.

=> If there is a .url which points to an ftp site in a folder, which was the
last place notepad stored a file, notepad.exe will try to connect to the
location of this .url as soon as I choose "Save as..." or "Open..." - No
malware, but reproducable!

So, I'm wondering, what's the reason? Can I do something to correct this
behavior? Am I the only one, who is able to reproduce this behavior?

 

[David]

Where'd you learn of this ftp site? Do you program or write private info.
with Notepad? If so, you may be compromised. I myself didn't try to
recreate the problem, as it sounds pretty suspicious. The following is the
report given from ARIN Whois on the IP:

Search results for: 131.159.72.23

OrgName: RIPE Network Coordination Centre
OrgID: RIPE
Address: Singel 258
Address: 1016 AB
City: Amsterdam
StateProv:
PostalCode:
Country: NL

ReferralServer: whois://whois.ripe.net

NetRange: 131.159.0.0 - 131.160.255.255
CIDR: 131.159.0.0/16, 131.160.0.0/16
NetName: RIPE-ERX-131-159-0-0
NetHandle: NET-131-159-0-0-1
Parent: NET-131-0-0-0-0
NetType: Early Registrations, Transferred to RIPE NCC
Comment: These addresses have been further assigned to users in
Comment: the RIPE NCC region. Contact information can be found in
Comment: the RIPE database at http://www.ripe.net/whois
RegDate: 2004-02-04
Updated: 2004-02-04

OrgTechHandle: RIPE-NCC-ARIN
OrgTechName: RIPE NCC Hostmaster
OrgTechPhone: +31 20 535 4444
OrgTechEmail: (e-mail address removed)

# ARIN WHOIS database, last updated 2004-05-24 19:15
# Enter ? for additional hints on searching ARIN's WHOIS databa

Hi all.

I have Windows XP Professional Build 2600.xpsp2.030422-1633 (Service Pack 1)
with all available Critical Updates and Service Packs from
windowsupdate.microsoft.com and also from officeupdate.microsoft.com.

My personal firewall (KPF 4.0.16) asks me to allow Notepad.exe a connection
to ftp.leo.org [131.159.72.23], Port ftp [21] as soon as I choose "Save
as..." or "Open..." in the notepad.exe...

Notepad.exe to the internet? I remember, there was TROJ_QAZ, but neither the
antivir with actual signatures, nor my investigations in the registry and
folders let me find any part of a trojan or of an other malware. I also
"asked" google, but I couldn't find any hint about this. Also Regedit and
"Search..." "containing ftp.leo.org" didn't let me find a clue.

Yes, I remember: Long time ago I was on ftp://ftp.leo.org/pub/freedb an I
droped the Icon from the IE-Adress Bar as shortcut (freedb.url) to the
desktop - is it possible, this is the reason?

After deleting freedb.url, notepad.exe didn't ask anymore to connect to the
internet - if I place the shortcut again to the desktop, Kerio ask me
again - it's reproducable. I noticed, desktop was the last place I saved a
.txt-file - so I tried to move the freedb.url to My Documents, saved a ..txt
there and tried again. Now My Documents was the last place and as soon as I
choosed "Save as..." or "Open..." from notepad.exe, Kerio asked me to allow
notepad.exe to connect to the internet. I've tried it again with a test.url,
which points to a http-site - no connection asked -> only for ftp-sites.

=> If there is a .url which points to an ftp site in a folder, which was the
last place notepad stored a file, notepad.exe will try to connect to the
location of this .url as soon as I choose "Save as..." or "Open..." - No
malware, but reproducable!

So, I'm wondering, what's the reason? Can I do something to correct this
behavior? Am I the only one, who is able to reproduce this behavior?

 

[David Candy]

Not quite. Explorer (or the shell) is verifng the shortcuts (eg the File Open window). Windows hates FTP, it has a problem with FTP bad (it hangs till the ftp site answers). It should also happen at bootup. Put it in favourites. I can't connect to that site.

 

[Mary Sauer]

http://www.pchell.com/virus/qaz.shtml

 

[Hausi Tellenbach]

Hi Mary.

As I wrote - it's neither the qaz, nor an other malware - I've checked every
entry in startup (hklm, hkcu, startup-folder (pers and common), even
win.ini, etc.)
=> No unknown entry - it happens even if I disable some unnessesary stuff in
the startup with msconfig and what's not enabled, I've nothing found about
the left entries in google (web and news) - there is also no unknown service
and neither antivir, Spybot nor Adaware, etc. has detected a malware.

I think, my PC is really clean

 

[David Candy]

It is clean (well nothing here indicates a virus). It's the FTP shortcut.