RE: Possilbe New Arp DoS - dosprmwin.exe

From: Salasche, David (dsalasche_at_brinkshofer.com)
Date: 06/18/04

  • Next message: Murad Talukdar: "Re: Strange pings from 127.0.0.1"
    Date: Fri, 18 Jun 2004 09:36:10 -0500
    To: "H Carvey" <keydet89@yahoo.com>, <security-basics@securityfocus.com>
    
    

    David,

    I read through your post, and I've got some questions regarding what
    you've presented...

    > We noticed on Monday a large amount of random arp traffic throughout
    our

    > network. After a number of false starts, we linked this traffic to an

    > executable named dosprmwin.exe.

    What did you do to be able to accomplish this? I think it would be
    educational to the list if you could elaborate just a little on how you
    went about doing this.

    >> We used Ethereal to detect the traffic. We found dosprmwin by
    comparing >> the process list on machines that were broadcasting and
    then used process >> of elimination.

    > We have not been able to find information about this program anywhere.

    All in all, that's not unusual. It could very be something new, or
    something not-so-new, but renamed.

    > The registry key where dosprmwin.exe was found had ?Micro Process? in

    > the name field.

    Ok...what's the significance of this?

    >> I wasn't sure if this had any significance but wanted to include all
    >> information we had. I was hoping someone might recognize this name.

    > This only seemed to be exploiting Windows XP machines without the
    MS04-

    > 015 (kb840374) update. Also, all infected computers are up to date
    with

    > Norton Anti-Virus Corporate Edition. We are not sure how the program
    was

    > propagating, but it was sending out arp traffic to random hosts.

    I'm still not entirely clear on your line of reasoning here...what am I
    missing? I get the first two sentences, but if you were able to tie the
    activity to a particular KB article as you did, wouldn't that then tell
    how you the program was propagating?

    >> That just told us which exploit it was using to install itself. We
    still >> aren't sure if all of these users visited an infected web site
    or if just >> one user did and then the worm propagated using the arp
    broadcasts.

    > We were able to solve the problem by running Windows Updates and then

    > stopping the dosprmwin.exe process and removing the file from

    > \windows\system32. The file was marked as hidden, read-only, and
    system.

    Do you have a copy of this file available for someone to look at?

    >> I do not. I think one of my associates does, but he has been
    unavailable. >> When I get a hold of him I will send a copy to whomever
    wants one.

    > Running fport or netstat ?a while the process was still running would

    > show a large number of listening TCP ports. After the process was

    > killed, these listening ports disappeared.

    Does this mean that the output of fport explicitly tied the open ports
    to this executable file?

    >> Yes.
    >> In addition, there was a post to a foreign forum asking about
    >> dosprmwin.exe, but I have been unable to translate it. Thanks again
    for
    >> all and any help!

    Thanks,

    Harlan

    ------------------------------------------------------------------------

    ---
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
    off 
    any course! All of our class sizes are guaranteed to be 10 students or
    less 
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of
    in-the-field 
    pen testing experience in our state of the art hacking lab. Master the
    skills 
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at: 
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ------------------------------------------------------------------------
    ----
    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
    any course! All of our class sizes are guaranteed to be 10 students or less 
    to facilitate one-on-one interaction with one of our expert instructors. 
    Attend a course taught by an expert instructor with years of in-the-field 
    pen testing experience in our state of the art hacking lab. Master the skills 
    of an Ethical Hacker to better assess the security of your organization. 
    Visit us at: 
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------
    

  • Next message: Murad Talukdar: "Re: Strange pings from 127.0.0.1"

    Relevant Pages

    • RE: Cisco CSA
      ... Ethical Hacking at the InfoSec Institute. ... to facilitate one-on-one interaction with one of our expert instructors. ... Attend a course taught by an expert instructor with years of ... pen testing experience in our state of the art hacking lab. ...
      (Security-Basics)
    • RE: Any reason not to use strcpy, strcat or scanf?
      ... Ethical Hacking at the InfoSec Institute. ... to facilitate one-on-one interaction with one of our expert instructors. ... Attend a course taught by an expert instructor with years of in-the-field ... pen testing experience in our state of the art hacking lab. ...
      (Security-Basics)
    • RE: New Trojan?
      ... > Ethical Hacking at the InfoSec Institute. ... Attend a course taught by an expert instructor with years of ... pen testing experience in our state of the art hacking lab. ... to facilitate one-on-one interaction with one of our expert instructors. ...
      (Security-Basics)
    • RE: Wireless access
      ... Ethical Hacking at the InfoSec Institute. ... to facilitate one-on-one interaction with one of our expert instructors. ... pen testing experience in our state of the art hacking lab. ... Attend a course taught by an expert instructor with years of in-the-field ...
      (Security-Basics)
    • Re: antivirus for linux
      ... Ethical Hacking at the InfoSec Institute. ... to facilitate one-on-one interaction with one of our expert instructors. ... Attend a course taught by an expert instructor with years of in-the-field ... pen testing experience in our state of the art hacking lab. ...
      (Security-Basics)