RE: Possilbe New Arp DoS - dosprmwin.exe
From: Salasche, David (dsalasche_at_brinkshofer.com)
Date: 06/18/04
- Previous message: Ranjeet Shetye: "Re: 192.168.x.x oddities"
- Maybe in reply to: dsalasche_at_brinkshofer.com: "Possilbe New Arp DoS - dosprmwin.exe"
- Next in thread: Harlan Carvey: "RE: Possilbe New Arp DoS - dosprmwin.exe"
- Reply: Harlan Carvey: "RE: Possilbe New Arp DoS - dosprmwin.exe"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 18 Jun 2004 09:36:10 -0500 To: "H Carvey" <keydet89@yahoo.com>, <security-basics@securityfocus.com>
David,
I read through your post, and I've got some questions regarding what
you've presented...
> We noticed on Monday a large amount of random arp traffic throughout
our
> network. After a number of false starts, we linked this traffic to an
> executable named dosprmwin.exe.
What did you do to be able to accomplish this? I think it would be
educational to the list if you could elaborate just a little on how you
went about doing this.
>> We used Ethereal to detect the traffic. We found dosprmwin by
comparing >> the process list on machines that were broadcasting and
then used process >> of elimination.
> We have not been able to find information about this program anywhere.
All in all, that's not unusual. It could very be something new, or
something not-so-new, but renamed.
> The registry key where dosprmwin.exe was found had ?Micro Process? in
> the name field.
Ok...what's the significance of this?
>> I wasn't sure if this had any significance but wanted to include all
>> information we had. I was hoping someone might recognize this name.
> This only seemed to be exploiting Windows XP machines without the
MS04-
> 015 (kb840374) update. Also, all infected computers are up to date
with
> Norton Anti-Virus Corporate Edition. We are not sure how the program
was
> propagating, but it was sending out arp traffic to random hosts.
I'm still not entirely clear on your line of reasoning here...what am I
missing? I get the first two sentences, but if you were able to tie the
activity to a particular KB article as you did, wouldn't that then tell
how you the program was propagating?
>> That just told us which exploit it was using to install itself. We
still >> aren't sure if all of these users visited an infected web site
or if just >> one user did and then the worm propagated using the arp
broadcasts.
> We were able to solve the problem by running Windows Updates and then
> stopping the dosprmwin.exe process and removing the file from
> \windows\system32. The file was marked as hidden, read-only, and
system.
Do you have a copy of this file available for someone to look at?
>> I do not. I think one of my associates does, but he has been
unavailable. >> When I get a hold of him I will send a copy to whomever
wants one.
> Running fport or netstat ?a while the process was still running would
> show a large number of listening TCP ports. After the process was
> killed, these listening ports disappeared.
Does this mean that the output of fport explicitly tied the open ports
to this executable file?
>> Yes.
>> In addition, there was a post to a foreign forum asking about
>> dosprmwin.exe, but I have been unable to translate it. Thanks again
for
>> all and any help!
Thanks,
Harlan
------------------------------------------------------------------------
--- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
- Previous message: Ranjeet Shetye: "Re: 192.168.x.x oddities"
- Maybe in reply to: dsalasche_at_brinkshofer.com: "Possilbe New Arp DoS - dosprmwin.exe"
- Next in thread: Harlan Carvey: "RE: Possilbe New Arp DoS - dosprmwin.exe"
- Reply: Harlan Carvey: "RE: Possilbe New Arp DoS - dosprmwin.exe"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
