Security Basics mailing list archives
Re: Possilbe New Arp DoS - dosprmwin.exe
From: H Carvey <keydet89 () yahoo com>
Date: 17 Jun 2004 11:59:46 -0000
In-Reply-To: <20040616150756.5056.qmail () www securityfocus com> David, I read through your post, and I've got some questions regarding what you've presented...
We noticed on Monday a large amount of random arp traffic throughout our network. After a number of false starts, we linked this traffic to an executable named dosprmwin.exe.
What did you do to be able to accomplish this? I think it would be educational to the list if you could elaborate just a little on how you went about doing this.
We have not been able to find information about this program anywhere.
All in all, that's not unusual. It could very be something new, or something not-so-new, but renamed.
The registry key where dosprmwin.exe was found had ?Micro Process? in the name field.
Ok...what's the significance of this?
This only seemed to be exploiting Windows XP machines without the MS04- 015 (kb840374) update. Also, all infected computers are up to date with Norton Anti-Virus Corporate Edition. We are not sure how the program was propagating, but it was sending out arp traffic to random hosts.
I'm still not entirely clear on your line of reasoning here...what am I missing? I get the first two sentences, but if you were able to tie the activity to a particular KB article as you did, wouldn't that then tell how you the program was propagating?
We were able to solve the problem by running Windows Updates and then stopping the dosprmwin.exe process and removing the file from \windows\system32. The file was marked as hidden, read-only, and system.
Do you have a copy of this file available for someone to look at?
Running fport or netstat ?a while the process was still running would show a large number of listening TCP ports. After the process was killed, these listening ports disappeared.
Does this mean that the output of fport explicitly tied the open ports to this executable file? Thanks, Harlan --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- Possilbe New Arp DoS - dosprmwin.exe dsalasche (Jun 17)
- <Possible follow-ups>
- Re: Possilbe New Arp DoS - dosprmwin.exe H Carvey (Jun 17)
- RE: Possilbe New Arp DoS - dosprmwin.exe Salasche, David (Jun 18)
- RE: Possilbe New Arp DoS - dosprmwin.exe Harlan Carvey (Jun 18)