Possilbe New Arp DoS - dosprmwin.exe

[<dsalasche () brinkshofer com>]

We noticed on Monday a large amount of random arp traffic throughout our network.  After a number of false starts, we 
linked this traffic to an executable named dosprmwin.exe. We have not been able to find information about this program 
anywhere. The registry key where dosprmwin.exe was found had “Micro Process” in the name field. This only seemed to be 
exploiting Windows XP machines without the MS04-015 (kb840374) update. Also, all infected computers are up to date with 
Norton Anti-Virus Corporate Edition. We are not sure how the program was propagating, but it was sending out arp 
traffic to random hosts. We were able to solve the problem by running Windows Updates and then stopping the 
dosprmwin.exe process and removing the file from \windows\system32. The file was marked as hidden, read-only, and 
system. Running fport or netstat –a while the process was still running would show a large number of listening TCP 
ports. After the process was killed, these listening ports disap
 peared. Has anyone else come across this or something similar recently?  Thanks for any and all input.

David

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------