Re: Possilbe New Arp DoS - dosprmwin.exe

[H Carvey <keydet89 () yahoo com>]

In-Reply-To: <20040616150756.5056.qmail () www securityfocus com>

David,

I read through your post, and I've got some questions regarding what you've presented...

> We noticed on Monday a large amount of random arp traffic throughout our 
> network.  After a number of false starts, we linked this traffic to an 
> executable named dosprmwin.exe. 

What did you do to be able to accomplish this?  I think it would be educational to the list if you could elaborate just 
a little on how you went about doing this.

> We have not been able to find information about this program anywhere. 

All in all, that's not unusual.  It could very be something new, or something not-so-new, but renamed.

> The registry key where dosprmwin.exe was found had ?Micro Process? in 
> the name field. 

Ok...what's the significance of this?

> This only seemed to be exploiting Windows XP machines without the MS04-
> 015 (kb840374) update. Also, all infected computers are up to date with 
> Norton Anti-Virus Corporate Edition. We are not sure how the program was 
> propagating, but it was sending out arp traffic to random hosts.

I'm still not entirely clear on your line of reasoning here...what am I missing?  I get the first two sentences, but if 
you were able to tie the activity to a particular KB article as you did, wouldn't that then tell how you the program 
was propagating?  

> We were able to solve the problem by running Windows Updates and then 
> stopping the dosprmwin.exe process and removing the file from 
> \windows\system32. The file was marked as hidden, read-only, and system.

Do you have a copy of this file available for someone to look at?

> Running fport or netstat ?a while the process was still running would 
> show a large number of listening TCP ports. After the process was 
> killed, these listening ports disappeared. 

Does this mean that the output of fport explicitly tied the open ports to this executable file?  

Thanks,

Harlan


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------