[71699] in North American Network Operators' Group
RE: Interesting Occurrence
daemon@ATHENA.MIT.EDU (Randy Bush)
Mon Jun 21 14:13:28 2004
From: Randy Bush <randy@psg.com>
Date: Mon, 21 Jun 2004 14:06:24 -0400
To: "Luke Starrett" <lstarrett@nc.rr.com>
Cc: <Brent_OKeeffe@asc.aon.com>, <nanog@merit.edu>
Errors-To: owner-nanog-outgoing@merit.edu
you sent html as opposed to an email message. as i do not use a web browser
to read mail, i can not read your message. if you want me to read your
email, send email.
randy
> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
> <HTML><HEAD>
> <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
> <TITLE>Message</TITLE>
>
> <META content="MSHTML 6.00.2800.1400" name=GENERATOR></HEAD>
> <BODY>
> <DIV><FONT face=Arial color=#0000ff size=2><SPAN class=613275217-21062004>That
> almost looks like one of the dummy user accounts that gets added as part of
> IIS. I see a couple of these on one win2k server that I
> maintain:</SPAN></FONT></DIV>
> <DIV><FONT face=Arial color=#0000ff size=2><SPAN
> class=613275217-21062004></SPAN></FONT> </DIV>
> <DIV><FONT face=Arial color=#0000ff size=2><SPAN
> class=613275217-21062004>"IWAM_<hostname>" (Launch IIS Process
> Account)</SPAN></FONT></DIV>
> <DIV><FONT face=Arial color=#0000ff size=2><SPAN
> class=613275217-21062004></SPAN></FONT> </DIV>
> <DIV><FONT face=Arial color=#0000ff size=2><SPAN
> class=613275217-21062004>"IUSER_<hostname>" (Internet Guest
> Account)</SPAN></FONT></DIV>
> <DIV><FONT face=Arial color=#0000ff size=2><SPAN
> class=613275217-21062004></SPAN></FONT> </DIV>
> <DIV><FONT face=Arial color=#0000ff size=2><SPAN
> class=613275217-21062004>Luke</SPAN></FONT></DIV>
> <DIV><FONT face=Arial color=#0000ff size=2><SPAN
> class=613275217-21062004></SPAN></FONT> </DIV>
> <DIV><FONT face=Arial color=#0000ff size=2><SPAN
> class=613275217-21062004></SPAN></FONT> </DIV>
> <DIV></DIV>
> <DIV><FONT face=Tahoma size=2>-----Original Message-----<BR><B>From:</B>
> owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] <B>On Behalf Of
> </B>Brent_OKeeffe@asc.aon.com<BR><B>Sent:</B> Monday, June 21, 2004 1:45
> PM<BR><B>To:</B> nanog@merit.edu<BR><B>Subject:</B> Interesting
> Occurrence<BR><BR></DIV></FONT>
> <BLOCKQUOTE
> style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #0000ff 2px solid; MARGIN-RIGHT: 0px"><BR><FONT
> face=sans-serif size=2>Okay... Here is a new one for me. Got a call from
> my dad saying he left his PC on last night connected to his broadband.
> He went to log in this morning and noticed a new ID in his user list -
> IWAP_WWW. He immediately deleted is and called me. I had him
> ensure his critical updates we all applied - they were. I had him ensure
> his antivirus was up to date - it was (Norton Antivirus 2004). He is
> running XP Home.</FONT> <BR><BR><FONT face=sans-serif size=2>I searched the
> antivirus sites and elsewhere for references. Any idea if there is a new
> vulnerability that has not been publicly released? Any clues?</FONT>
> <BR><BR><FONT face=sans-serif size=2>Regards,</FONT> <BR><FONT face=sans-serif
> size=2>Brent</FONT> <BR></BLOCKQUOTE></BODY></HTML>
