Snort mailing list archives

Re: hmm...nimda RICHED20.DLL alarms

From: "Guillaume" <guillaume () anteria fr>
Date: Tue, 22 Jan 2002 10:44:44 +0100 (CET)

Dans son précédent message Roberto Suarez Soto écrivait :

On Jan/22, fluid wrote:

i am getting some of these every day from work (seemingly when
users are running Office applications). It is the same set of
machines every day...always attacking the same destination
server. scans of the server are picking up nothing with any
antivirus package i find, and the same is true of the
workstations.


      I've seen these too. They seem to appear in inofensive and
well-checked networks. I've seen a few nimda .nws and nimda .eml
alerts too, from the same hosts that the RICHED20.DLL came; they
all have been checked for virus, and none was found.

      So, if someone knows something about this, I'm pretty much
      interested too :-)



Hi.

RICHED20.DLL is a file that comes with "standard" microsoft products
for windows 95/98 platforms like Office/Access.

From microsoft website :

<extract>
Rich Edit Controls
A rich edit control is a window in which the user can enter, edit,
format, print, and save text. The text can be assigned character and
paragraph formatting, and can include embedded COM objects. Rich edit
controls support almost all of the messages and notification messages
used with multiline edit controls. Thus, applications that already
use edit controls can be easily changed to use rich edit controls.
Additional messages and notifications enable applications to access
the functionality unique to rich edit controls. Beginning with Rich
Edit 2.0, there is also single line or multiline capabilities and
plain or rich text. For information about edit controls, see Edit
Controls.
URL: http://msdn.microsoft.com/library/default.asp?url=/library/en-
us/winui/richedit_9d2r.asp
</extract>


What makes you think that the activities you described are attacks ?
If snort logged the data part of suspicious packets that triggered
alerts, did you look at what's inside ?

Guillaume

[ Sent with SquirrelMail -  http://www.squirrelmail.org     ]



_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Current thread:

hmm...nimda RICHED20.DLL alarms fluid (Jan 21)
- Re: hmm...nimda RICHED20.DLL alarms Roberto Suarez Soto (Jan 22)
  - Re: hmm...nimda RICHED20.DLL alarms Guillaume (Jan 22)
- Re: hmm...nimda RICHED20.DLL alarms Rich Adamson (Jan 22)
- <Possible follow-ups>
- Re: hmm...nimda RICHED20.DLL alarms Ryan Drogo (Jan 22)
- RE: Re: hmm...nimda RICHED20.DLL alarms Ronneil Camara (Jan 22)
  - How to unsubscribe? Densin Roy. (Jan 24)
    - Re: How to unsubscribe? Edwin Eefting (Jan 24)
    - Re: How to unsubscribe? Densin Roy. (Jan 24)
    - Re: How to unsubscribe? Matt Kettler (Jan 24)