Re: worm that crashes win explorer upon search

[Douglas Duckworth <stlpcsecurity () gmail com>]

Sorry, sent it to wrong address..

On 8/17/05, Douglas Duckworth <stlpcsecurity () gmail com> wrote:
> DEP only works on certian processors.
> http://support.microsoft.com/kb/875352
> http://www.microsoft.com/technet/security/prodtech/windowsxp/depcnfxp.mspx
>
> "Data Execution Prevention (DEP) is a set of hardware and software
> technologies that perform additional checks on memory to help prevent
> malicious code from running on a system. In Microsoft Windows XP
> Service Pack 2 (SP2) and Microsoft Windows XP Tablet PC Edition 2005,
> DEP is enforced by hardware and by software.
>
> The primary benefit of DEP is to help prevent code execution from data
> pages. Typically, code is not executed from the default heap and the
> stack. Hardware-enforced DEP detects code that is running from these
> locations and raises an exception when execution occurs.
> Software-enforced DEP can help prevent malicious code from taking
> advantage of exception-handling mechanisms in Windows."
>
> You could try blocking ports with IPSec:
> http://support.microsoft.com/?id=813878
>
> Also, you could try installing ethereal, which will give a better idea
> how it is spreading.  I would not recommend that you use it in an
> infected pc, however, use it on a firewalled computer which is up to
> date with patches.
>
>
> And the windows firewall may help for computers that are not currently
> infected, however, it will not block outgoing traffic.
>
> -Doug
>
> On 8/16/05, Luis Osorio <luis.osorio () parfois com> wrote:
> > Hi,
> >
> > Try to check DEP (Data Execution Prevention). This could happen if explorer is trying to launch the search program.
> >
> > regards,
> >
> >
> > Luis Osório
> > Parfois - IT Department
> > Telef:+351220900240
> > Telem:+351917798455
> > www.parfois.com
> > -------------------------------------------------------------------------------
> > Barata & Ramilo, S.A.
> > Rua de Sistelo
> > Lugar de Santegãos
> > 4435-429 Rio Tinto
> > Portugal
> >
> > -----Original Message-----
> > From: Leon [mailto:roastin () yahoo com]
> > Sent: segunda-feira, 1 de Agosto de 2005 21:20
> > To: security-basics () securityfocus com
> > Subject: worm that crashes win explorer upon search
> >
> > Hi,
> >
> > I have a client who suspects that they may have a worm running around there network that is infecting machines 
> > through open shares or some other means of propogation.  The symptom is that when people open up windows exploer 
> > and try to search the explorer.exe process dies.
> >
> > I installed the microsoft spyware application and they are using up-to-date virus definitions with their scanner.  
> > I also went through netstat looking for strange open port and saw nothing.  The event log also has nothing out of 
> > the ordinary in it
> >
> > What is the best way to troubleshoot something like this?  I can get the dump file from dr watson but I am unsure 
> > where to go from there.
> >
> > Suggestions appreciated.
> >
> > Thx,
> >
> > Leon
> >
> >
> >
> >
> > ____________________________________________________
> > Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs