Security Basics mailing list archives
RE: Possilbe New Arp DoS - dosprmwin.exe
From: "Salasche, David" <dsalasche () brinkshofer com>
Date: Fri, 18 Jun 2004 09:36:10 -0500
David, I read through your post, and I've got some questions regarding what you've presented...
We noticed on Monday a large amount of random arp traffic throughout
our
network. After a number of false starts, we linked this traffic to an
executable named dosprmwin.exe.
What did you do to be able to accomplish this? I think it would be educational to the list if you could elaborate just a little on how you went about doing this.
We used Ethereal to detect the traffic. We found dosprmwin by
comparing >> the process list on machines that were broadcasting and then used process >> of elimination.
We have not been able to find information about this program anywhere.
All in all, that's not unusual. It could very be something new, or something not-so-new, but renamed.
The registry key where dosprmwin.exe was found had ?Micro Process? in
the name field.
Ok...what's the significance of this?
I wasn't sure if this had any significance but wanted to include all information we had. I was hoping someone might recognize this name.
This only seemed to be exploiting Windows XP machines without the
MS04-
015 (kb840374) update. Also, all infected computers are up to date
with
Norton Anti-Virus Corporate Edition. We are not sure how the program
was
propagating, but it was sending out arp traffic to random hosts.
I'm still not entirely clear on your line of reasoning here...what am I missing? I get the first two sentences, but if you were able to tie the activity to a particular KB article as you did, wouldn't that then tell how you the program was propagating?
That just told us which exploit it was using to install itself. We
still >> aren't sure if all of these users visited an infected web site or if just >> one user did and then the worm propagated using the arp broadcasts.
We were able to solve the problem by running Windows Updates and then
stopping the dosprmwin.exe process and removing the file from
\windows\system32. The file was marked as hidden, read-only, and
system. Do you have a copy of this file available for someone to look at?
I do not. I think one of my associates does, but he has been
unavailable. >> When I get a hold of him I will send a copy to whomever wants one.
Running fport or netstat ?a while the process was still running would
show a large number of listening TCP ports. After the process was
killed, these listening ports disappeared.
Does this mean that the output of fport explicitly tied the open ports to this executable file?
Yes. In addition, there was a post to a foreign forum asking about dosprmwin.exe, but I have been unable to translate it. Thanks again
for
all and any help!
Thanks, Harlan ------------------------------------------------------------------------ --- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ------------------------------------------------------------------------ ---- --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- Possilbe New Arp DoS - dosprmwin.exe dsalasche (Jun 17)
- <Possible follow-ups>
- Re: Possilbe New Arp DoS - dosprmwin.exe H Carvey (Jun 17)
- RE: Possilbe New Arp DoS - dosprmwin.exe Salasche, David (Jun 18)
- RE: Possilbe New Arp DoS - dosprmwin.exe Harlan Carvey (Jun 18)