[66959] in North American Network Operators' Group
Re: Possible New RPC vulnerability and Worm?????
daemon@ATHENA.MIT.EDU (tad pedley)
Thu Jan 29 19:58:57 2004
Date: Thu, 29 Jan 2004 16:58:21 -0800 (PST)
From: tad pedley <tadpedley@yahoo.com>
To: nanog@merit.edu
In-Reply-To: <20040129232125.11467.qmail@web60210.mail.yahoo.com>
Errors-To: owner-nanog-outgoing@merit.edu
--0-1634516000-1075424301=:35307
Content-Type: text/plain; charset=us-ascii
Just found this on the Symantec site, this seems a little rushed after reading it. Anyone have any thoughts?
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.anig.html
tad pedley <tadpedley@yahoo.com> wrote:
Has anyone heard of a new Microsoft RPC vulnerability today? I'm hearing conflicting reports of a new worm that is exploiting this new vulnerability. We have seen the following process created on our XP workstations:
It apparently creats the following process "NTOSA32.EXE" with a dependancy for RPC. It is also running as the distributed file controller. There also seems to be a link to this file: "NTBKH32.DLL".
Please forgive siplisity of the post, but that is all the info we are seeing right now. Our AV is looking at it and so far has said little other than it is a new worm. Just trying to see if anyone has seen or heard this.
Thanks,
T
---------------------------------
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
---------------------------------
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
--0-1634516000-1075424301=:35307
Content-Type: text/html; charset=us-ascii
<DIV>Just found this on the Symantec site, this seems a little rushed after reading it. Anyone have any thoughts?</DIV>
<DIV><BR><A href="http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.anig.html">http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.anig.html</A></DIV>
<DIV><BR><B><I>tad pedley <tadpedley@yahoo.com></I></B> wrote:</DIV>
<BLOCKQUOTE class=replbq style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #1010ff 2px solid">
<DIV>Has anyone heard of a new Microsoft RPC vulnerability today? I'm hearing conflicting reports of a new worm that is exploiting this new vulnerability. We have seen the following process created on our XP workstations:</DIV>
<DIV> </DIV>
<DIV>It apparently creats the following process "NTOSA32.EXE" with a dependancy for RPC. It is also running as the distributed file controller. There also seems to be a link to this file: "NTBKH32.DLL". </DIV>
<DIV> </DIV>
<DIV>Please forgive siplisity of the post, but that is all the info we are seeing right now. Our AV is looking at it and so far has said little other than it is a new worm. Just trying to see if anyone has seen or heard this.</DIV>
<DIV> </DIV>
<DIV>Thanks,</DIV>
<DIV>T</DIV>
<P>
<HR SIZE=1>
Do you Yahoo!?<BR>Yahoo! SiteBuilder - Free web site building tool. <A href="http://us.rd.yahoo.com/evt=21608/*http://webhosting.yahoo.com/ps/sb/"><B>Try it!</B></A></BLOCKQUOTE><p><hr SIZE=1>
Do you Yahoo!?<br>
Yahoo! SiteBuilder - Free web site building tool. <a href="http://us.rd.yahoo.com/evt=21608/*http://webhosting.yahoo.com/ps/sb/"><b>Try it!</b></a>
--0-1634516000-1075424301=:35307--
