RE: Possilbe New Arp DoS - dosprmwin.exe

["Salasche, David" <dsalasche () brinkshofer com>]

David,



I read through your post, and I've got some questions regarding what
you've presented...



> We noticed on Monday a large amount of random arp traffic throughout
our 

> network.  After a number of false starts, we linked this traffic to an


> executable named dosprmwin.exe. 



What did you do to be able to accomplish this?  I think it would be
educational to the list if you could elaborate just a little on how you
went about doing this.

> > We used Ethereal to detect the traffic. We found dosprmwin by
comparing >> the process list on machines that were broadcasting and
then used process >> of elimination.

> We have not been able to find information about this program anywhere.




All in all, that's not unusual.  It could very be something new, or
something not-so-new, but renamed.



> The registry key where dosprmwin.exe was found had ?Micro Process? in 

> the name field. 



Ok...what's the significance of this?

> > I wasn't sure if this had any significance but wanted to include all
> > information we had. I was hoping someone might recognize this name.

> This only seemed to be exploiting Windows XP machines without the
MS04-

> 015 (kb840374) update. Also, all infected computers are up to date
with 

> Norton Anti-Virus Corporate Edition. We are not sure how the program
was 

> propagating, but it was sending out arp traffic to random hosts.



I'm still not entirely clear on your line of reasoning here...what am I
missing?  I get the first two sentences, but if you were able to tie the
activity to a particular KB article as you did, wouldn't that then tell
how you the program was propagating?  

> > That just told us which exploit it was using to install itself. We
still >> aren't sure if all of these users visited an infected web site
or if just >> one user did and then the worm propagated using the arp
broadcasts.


> We were able to solve the problem by running Windows Updates and then 

> stopping the dosprmwin.exe process and removing the file from 

> \windows\system32. The file was marked as hidden, read-only, and
system.



Do you have a copy of this file available for someone to look at?

> > I do not. I think one of my associates does, but he has been
unavailable. >> When I get a hold of him I will send a copy to whomever
wants one.

> Running fport or netstat ?a while the process was still running would 

> show a large number of listening TCP ports. After the process was 

> killed, these listening ports disappeared. 



Does this mean that the output of fport explicitly tied the open ports
to this executable file?  

> > Yes. 
> > In addition, there was a post to a foreign forum asking about
> > dosprmwin.exe, but I have been unable to translate it. Thanks again
for 
> > all and any help!

Thanks,



Harlan




------------------------------------------------------------------------
---
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
off 
any course! All of our class sizes are guaranteed to be 10 students or
less 
to facilitate one-on-one interaction with one of our expert instructors.

Attend a course taught by an expert instructor with years of
in-the-field 
pen testing experience in our state of the art hacking lab. Master the
skills 
of an Ethical Hacker to better assess the security of your organization.

Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
------------------------------------------------------------------------
----


---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------