Security Basics mailing list archives
Possilbe New Arp DoS - dosprmwin.exe
From: <dsalasche () brinkshofer com>
Date: 16 Jun 2004 15:07:56 -0000
We noticed on Monday a large amount of random arp traffic throughout our network. After a number of false starts, we linked this traffic to an executable named dosprmwin.exe. We have not been able to find information about this program anywhere. The registry key where dosprmwin.exe was found had Micro Process in the name field. This only seemed to be exploiting Windows XP machines without the MS04-015 (kb840374) update. Also, all infected computers are up to date with Norton Anti-Virus Corporate Edition. We are not sure how the program was propagating, but it was sending out arp traffic to random hosts. We were able to solve the problem by running Windows Updates and then stopping the dosprmwin.exe process and removing the file from \windows\system32. The file was marked as hidden, read-only, and system. Running fport or netstat a while the process was still running would show a large number of listening TCP ports. After the process was killed, these listening ports disap peared. Has anyone else come across this or something similar recently? Thanks for any and all input. David --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- Possilbe New Arp DoS - dosprmwin.exe dsalasche (Jun 17)
- <Possible follow-ups>
- Re: Possilbe New Arp DoS - dosprmwin.exe H Carvey (Jun 17)
- RE: Possilbe New Arp DoS - dosprmwin.exe Salasche, David (Jun 18)
- RE: Possilbe New Arp DoS - dosprmwin.exe Harlan Carvey (Jun 18)