News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests
NB: Posting URL's See here: Posted URL Change

Main Menu

UNKNOWN Environment variable

Started by GoneFishing, October 02, 2013, 07:29:40 AM

Previous topic - Next topic

GoneFishing

Today I've found one very suspiciously looking environment variable :
Quote
COMPLUS_FodPath=c:\no-fod.exe
Deleting it  for several times made no good  - it was reappearing every time .
I searched for "COMPLUS_FodPath" but there were only 2 (!!!) results in the whole  internet  . The most significant one was found here .
It contained the same variable with different value :
Quote
COMPLUS_FODPATH = C:\FOD_IS_Disabled_By_AC_SHIM.exe

That's a very strange name for "normal" executable .
What  does "FOD" mean?
Foreign object damage  or one of those meanings ?

Any ideas?


dedndave

maybe Feature-On-Demand
let me see what i can find.....

GoneFishing


jj2007

FOD trojan?

Or launch your debugger and see what c:\no-fod.exe does...

dedndave

well - you were playing with database's the other day
maybe it's related to Oracle Fusion Order Demo (FOD) schema

http://www.oracle.com/technetwork/testcontent/connection11g-088156.html

dedndave

QuoteSome JDeveloper collaterals require the Fusion Order Demo (FOD) schema to
exist in the database. To install the schema, perform the following steps:....

perhaps you have something that needs the no-fod.exe file if the schema is not installed - hence the name

GoneFishing

Quote from: jj2007 on October 02, 2013, 07:54:37 AM
FOD trojan?

Or launch your debugger and see what c:\no-fod.exe does...

I didn't find the exe with that name on the drive  :(

Quote from: dedndave on October 02, 2013, 07:59:23 AM
well - you were playing with database's the other day
maybe it's related to Oracle Fusion Order Demo (FOD) schema

http://www.oracle.com/technetwork/testcontent/connection11g-088156.html

No , Dave , I didn't play with Oracle database at all .

Maybe try:
findstr /s "no-fod.exe" c:\*.*
?

qWord

Quote from: jj2007 on October 02, 2013, 07:54:37 AMOr launch your debugger and see what c:\no-fod.exe does...
bad idea for potential malware!
MREAL macros - when you need floating point arithmetic while assembling!

GoneFishing

I scanned drive C:\ with MSE .
7 "unwanted" files were found .
MSE froze on the half-way of the cleaning stage ... but today there's no more the strange environment variable .
Thank you all
Take care

Vortex

Did you made an analysis with Autoruns?

http://technet.microsoft.com/en-US/sysinternals/bb963902.aspx

hutch--

I would also try and find the EXE file. Command line "dir /s filename.ext" should find it for you when run from the root directory.

GoneFishing

Quote from: hutch-- on October 03, 2013, 05:03:07 AM
I would also try and find the EXE file. Command line "dir /s filename.ext" should find it for you when run from the root directory.
I tried but didn't find it .
After AV scan that environment variable disappeared.
Interestingly that in both cases the value of  %COMPLUS_FodPath%  looks more like report (return value) than just a name of executable.
I tend to think it was  malicious software .

Quote from: Vortex on October 03, 2013, 04:08:04 AM
Did you made an analysis with Autoruns?

http://technet.microsoft.com/en-US/sysinternals/bb963902.aspx

I already have Sysinternals suite . I like those tools very much. 
I had such a thought  yesterday but AV scan was already running at that moment.