RE: WINS CLient Service

From: wyldchilde (wyldchilde_at_allofyourgodsaredead.com)
Date: 12/12/03

Next message: André Carezia: "Re: Fw: services.exe file"

Previous message: Dano: "Re: Fw: services.exe file"
Maybe in reply to: Ziots, Edward: "RE: WINS CLient Service"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 12 Dec 2003 10:35:52 -0800
To: "'incidents@securityfocus.com'" <incidents@securityfocus.com>, "Ziots, Edward" <EZiots@Lifespan.org>

It's W32/Nachi or Welchia if you look at the Symantec site. It
uses the RPC/DCOM exploit to infect the system. It's also
supposed to remove msblast and automatically delete itself if the
system date is 2004. The easiest way to remove it is download
stinger from NAI or FixWelch.exe from Symantec.

Cheers,

Bryan

Has anyone seen a virus/worm or misconfiguration load the WINS Client
> Service on a Win2k Server? In all the servers I have built I
have never
seen
> this service, it basically had a dllhost.exe and svchost.exe
copy in the
> c:\winnt\system32\wins directory, and svchost.exe was a renamed
copy of
> tftp.exe, and dllhost.exe had a alternative stream of nc.exe in it.
>
> If anyone has run into this before let me know what solutions
you might
have
> found,
>

________________________________________________________________
Get your own evilemail.com address at http://www.evilemail.com

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: André Carezia: "Re: Fw: services.exe file"

Previous message: Dano: "Re: Fw: services.exe file"
Maybe in reply to: Ziots, Edward: "RE: WINS CLient Service"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]