netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com

["Edwards, David (JTS)" <Edwards.Dave () saugov sa gov au>]

Hi,

We've just found some instances of "netbuie.exe" running in some terminal
server sessions here.  The file was written to the Winnt\system32 directory
about 6:00pm on Sunday and registry entries made in:

HKLM/Software\Microsoft\windows\current version\run
HKLM/Software\Microsoft\windows\run

It seems to be a Vb 5 PE that hits on two web sites, scorpionsearch.com and
fastcounter.bcentral.com when run.  Possibly just generating revenue for
some bod somewhere.

Looks like the server wasn't fully patched, hfnetchk showed 6 Win2k Server
patches missing and 2 IE6.

This sounded familiar (when I first saw it) but I haven't been able to find
any other references so I thought I'd make one :-)   The worry is (of
course) that the server is further compromised.  Anyone seen this before?

ciao
dave
---
Dave Edwards 
Justice Technology Services
Ph: +61 8 82265426 || 0408 808355 
mailto: edwards.dave () saugov sa gov au
Snail : Justice Technology Services 
        GPO Box 2048, Adelaide 5001
---



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com