Snort mailing list archives
Re: hmm...nimda RICHED20.DLL alarms
From: "Guillaume" <guillaume () anteria fr>
Date: Tue, 22 Jan 2002 10:44:44 +0100 (CET)
Dans son précédent message Roberto Suarez Soto écrivait :
On Jan/22, fluid wrote:i am getting some of these every day from work (seemingly when users are running Office applications). It is the same set of machines every day...always attacking the same destination server. scans of the server are picking up nothing with any antivirus package i find, and the same is true of the workstations.I've seen these too. They seem to appear in inofensive and well-checked networks. I've seen a few nimda .nws and nimda .eml alerts too, from the same hosts that the RICHED20.DLL came; they all have been checked for virus, and none was found. So, if someone knows something about this, I'm pretty much interested too :-)
Hi. RICHED20.DLL is a file that comes with "standard" microsoft products for windows 95/98 platforms like Office/Access.
From microsoft website :
<extract> Rich Edit Controls A rich edit control is a window in which the user can enter, edit, format, print, and save text. The text can be assigned character and paragraph formatting, and can include embedded COM objects. Rich edit controls support almost all of the messages and notification messages used with multiline edit controls. Thus, applications that already use edit controls can be easily changed to use rich edit controls. Additional messages and notifications enable applications to access the functionality unique to rich edit controls. Beginning with Rich Edit 2.0, there is also single line or multiline capabilities and plain or rich text. For information about edit controls, see Edit Controls. URL: http://msdn.microsoft.com/library/default.asp?url=/library/en- us/winui/richedit_9d2r.asp </extract> What makes you think that the activities you described are attacks ? If snort logged the data part of suspicious packets that triggered alerts, did you look at what's inside ? Guillaume [ Sent with SquirrelMail - http://www.squirrelmail.org ] _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users
Current thread:
- hmm...nimda RICHED20.DLL alarms fluid (Jan 21)
- Re: hmm...nimda RICHED20.DLL alarms Roberto Suarez Soto (Jan 22)
- Re: hmm...nimda RICHED20.DLL alarms Guillaume (Jan 22)
- Re: hmm...nimda RICHED20.DLL alarms Rich Adamson (Jan 22)
- <Possible follow-ups>
- Re: hmm...nimda RICHED20.DLL alarms Ryan Drogo (Jan 22)
- RE: Re: hmm...nimda RICHED20.DLL alarms Ronneil Camara (Jan 22)
- How to unsubscribe? Densin Roy. (Jan 24)
- Re: How to unsubscribe? Edwin Eefting (Jan 24)
- Re: How to unsubscribe? Densin Roy. (Jan 24)
- Re: How to unsubscribe? Matt Kettler (Jan 24)
- How to unsubscribe? Densin Roy. (Jan 24)
- Re: hmm...nimda RICHED20.DLL alarms Roberto Suarez Soto (Jan 22)