[71696] in North American Network Operators' Group
RE: Interesting Occurrence
daemon@ATHENA.MIT.EDU (Luke Starrett)
Mon Jun 21 13:59:54 2004
From: "Luke Starrett" <lstarrett@nc.rr.com>
To: <Brent_OKeeffe@asc.aon.com>, <nanog@merit.edu>
Date: Mon, 21 Jun 2004 13:55:55 -0400
In-Reply-To: <OF98851BAA.5F0A4E9F-ON86256EBA.005FCB8E-85256EBA.006179AB@aon.com>
Errors-To: owner-nanog-outgoing@merit.edu
This is a multi-part message in MIME format.
------=_NextPart_000_0072_01C45797.7942DDC0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
That almost looks like one of the dummy user accounts that gets added as
part of IIS. I see a couple of these on one win2k server that I =
maintain:
=20
"IWAM_<hostname>" (Launch IIS Process Account)
=20
"IUSER_<hostname>" (Internet Guest Account)
=20
Luke
=20
=20
-----Original Message-----
From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of
Brent_OKeeffe@asc.aon.com
Sent: Monday, June 21, 2004 1:45 PM
To: nanog@merit.edu
Subject: Interesting Occurrence
Okay... Here is a new one for me. Got a call from my dad saying he left =
his
PC on last night connected to his broadband. He went to log in this =
morning
and noticed a new ID in his user list - IWAP_WWW. He immediately =
deleted is
and called me. I had him ensure his critical updates we all applied - =
they
were. I had him ensure his antivirus was up to date - it was (Norton
Antivirus 2004). He is running XP Home.=20
I searched the antivirus sites and elsewhere for references. Any idea =
if
there is a new vulnerability that has not been publicly released? Any
clues?=20
Regards,=20
Brent=20
------=_NextPart_000_0072_01C45797.7942DDC0
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<TITLE>Message</TITLE>
<META content=3D"MSHTML 6.00.2800.1400" name=3DGENERATOR></HEAD>
<BODY>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN =
class=3D613275217-21062004>That=20
almost looks like one of the dummy user accounts that gets added as part =
of=20
IIS. I see a couple of these on one win2k server that I=20
maintain:</SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D613275217-21062004></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D613275217-21062004>"IWAM_<hostname>" (Launch IIS Process=20
Account)</SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D613275217-21062004></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D613275217-21062004>"IUSER_<hostname>" (Internet Guest=20
Account)</SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D613275217-21062004></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D613275217-21062004>Luke</SPAN></FONT></DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D613275217-21062004></SPAN></FONT> </DIV>
<DIV><FONT face=3DArial color=3D#0000ff size=3D2><SPAN=20
class=3D613275217-21062004></SPAN></FONT> </DIV>
<DIV></DIV>
<DIV><FONT face=3DTahoma size=3D2>-----Original =
Message-----<BR><B>From:</B>=20
owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] <B>On Behalf Of=20
</B>Brent_OKeeffe@asc.aon.com<BR><B>Sent:</B> Monday, June 21, 2004 1:45 =
PM<BR><B>To:</B> nanog@merit.edu<BR><B>Subject:</B> Interesting=20
Occurrence<BR><BR></DIV></FONT>
<BLOCKQUOTE=20
style=3D"PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px =
solid; MARGIN-RIGHT: 0px"><BR><FONT=20
face=3Dsans-serif size=3D2>Okay... Here is a new one for me. Got =
a call from=20
my dad saying he left his PC on last night connected to his broadband. =
He went to log in this morning and noticed a new ID in his user =
list -=20
IWAP_WWW. He immediately deleted is and called me. I had =
him=20
ensure his critical updates we all applied - they were. I had =
him ensure=20
his antivirus was up to date - it was (Norton Antivirus 2004). =
He is=20
running XP Home.</FONT> <BR><BR><FONT face=3Dsans-serif size=3D2>I =
searched the=20
antivirus sites and elsewhere for references. Any idea if there =
is a new=20
vulnerability that has not been publicly released? Any =
clues?</FONT>=20
<BR><BR><FONT face=3Dsans-serif size=3D2>Regards,</FONT> <BR><FONT =
face=3Dsans-serif=20
size=3D2>Brent</FONT> <BR></BLOCKQUOTE></BODY></HTML>
------=_NextPart_000_0072_01C45797.7942DDC0--
