Over 1 million tech questions and answers.

MS05-011 - Exploit Code to attack SMB vulnerabilities

Q: MS05-011 - Exploit Code to attack SMB vulnerabilities

Hopefully, most companies and individuals are up-to-date on Microsoft security patches. This new exploit has just been developed from the MS05-011 security bulletin published in February. It could be adapted for use in future computer viruses and worms. MS05-011 - Exploit Code to attack SMB vulnerabilities published http://isc.sans.org/diary.php?date=2005-06-23 QUOTE: FrSIRT has published exploit code for the recent flaw in Microsoft Server Message Block (SMB). The advisory and patch related to this vulnerability were released on February 8th, 2005. If you still have not patched, you are further urged to do so in light of the release of exploit code. FfSIRT - Published exploit (be care as POC code is here)http://www.frsirt.com/exploits/20050623.mssmb_poc.c.php

Read other answers
RELEVANCY SCORE 200
Preferred Solution: MS05-011 - Exploit Code to attack SMB vulnerabilities

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

RELEVANCY SCORE 92.8

MS05-036: Color Management Exploit Code in WildPlease ensure you are up-to-date on all Microsoft security bulletins as a new exploit based on the July 2005 updates has been discovered in the wild. So far, the new threat will only crash Internet Explorer, but it could be tailored into a more harmful threat that might impact unpatched systems.ISC Warning: MS05-036: Color Management Exploit Code in Wildhttp://isc.sans.org/diary.php?date=2005-07-21Microsoft Security Bulletin MS05-036: Vulnerability in Microsoft Color Management Module Could Allow Remote Code Execution (901214)http://www.microsoft.com/technet/security/...n/ms05-036.mspxFrsirt: Microsoft Color Management Module Buffer Overflow Exploit (MS05-036) -- Please be careful as actual exploit code is found herehttp://www.frsirt.com/exploits/20050721.icc_ex.c.phpWe've received reports that the Color Management Module ICC Profile Buffer Overflow Vulnerability has exploit code available and is being used out in the wild. The vulnerability information from Microsoft is available over at MS Technet. The mitigate this vulnerability, apply the appropriate patch. It appears that this version of the exploit code will only crash the browser, but it wouldn't be difficult to put in code for execution. FrSIRT put out an advisory on the code being in the wild this morning.

Read other answers
RELEVANCY SCORE 75.2

Hey, was told to post my HJT log here after following microbells 5 step instructions, which I did.

Basically ewido keeps popping up saying I have an infected file, which is called

microsoft[1].wmf
or
Microsoft_Windows_Advanced_Upgrade_Wizard_Logo_______________________________________________________________________[1].emf

they are always located here...
"...local settings/temporary internet files/content.IE5/ *insert random numbers and letters folder here*"

I keep quarantining the infected files (using my full version copy of ewido) and deleting them but the same named ones keep coming back.

I have all the windows updates, and even downloaded the patch from
http://www.microsoft.com/downloads/d...displaylang=en

to supposedly fix the metafile exploit, but soon as I rebooted after installing that... about 10 mins later.. ewido popped up with the warning again.

so yeah...

heres my HJT this log

Logfile of HijackThis v1.99.1
Scan saved at 2:54:38 PM, on 25/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\system32\nvsvc32.exe ... Read more

A:Exploit.MS05-053-WMF

Please download CleanUp! and install it. Do not run it yet!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:Click "Options..."
Set the slider to "Standard CleanUp!"
Uncheck the following:Delete Newsgroup cache
Delete Newsgroup Subscriptions
Scan local drives for temporary files

Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

WARNING - CleanUp! will delete all files and folders contained within Temporary Directories. If you knowingly have items you would like to keep that are stored in these locations; Move Them Now!!!

Perform an online scan with Internet Explorer with

Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:Scan using the following Anti-Virus database:
Standard
Scan Options:
Scan Archives
Scan Mail Bases

Click OK
Now under select a target to scan:Select My Computer

This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.Now click on the Save as Text button:

Save the file to... Read more

Read other 6 answers
RELEVANCY SCORE 73.6

This proof-of-concept DTC exploit appears to be reverse engineered from the October updates. As this critical vulnerability impacts communications security, it could be potentially crafted into a new Internet worm, based on some reports I've read. Please be sure you are up-to-date on all Microsoft Windows updates (esp. through October 2005).Microsoft Windows Distributed Transaction Coordinator Remote Exploit (MS05-051)Please be careful as this link contains actual exploit code below:http://www.frsirt.com/exploits/20051127.55k7-msdtc.c.php

Read other answers
RELEVANCY SCORE 72.8

A new trojan horse exploit manipulates an IE Java vulnerability patched in July. This is not widespread and it is low risk overall. Please be sure you are on the latest Microsoft patches through Windows Update as other exploits could also manipulate this security vulnerability. MS05-037: Trojan.Jevprox - Low risk IE exploitTrojan.Jevprox is a downloader Trojan that exploits the Microsoft Internet Explorer Javaprxy.DLL COM Object Instantiation Heap Overflow Vulnerability described in Microsoft Security Bulletin MS05-037

A:MS05-037: Trojan.Jevprox - Low risk IE exploit

Thanks for the intelligence report Harry. I just encountered and dl'dSwat It, intriguing specs for anti trojan software.https://onesecond-128bit- encryption.net????-is that security or what?? Real link washttp://swatit.org/download.html it's a free pro version??Exciting whennew software appears,especially spywarrior apps.

Read other 2 answers
RELEVANCY SCORE 64.4

Brand new POC exploits reverse engineered from critical October & November Microsoft security updates have been formally published. Hopefully everyone is patched up, as these POC exploits could be further crafted by the bad guys out there.Microsoft Windows Metafile (WMF) Image Handling Remote Exploit (MS05-053)Please only view this POC exploit code present herehttp://www.frsirt.com/exploits/20051129.MS05-053.c.php* The crafted metafile from this code when viewed in internet explorer raises the CPU* utilization to 100%. The code was tested on Windows 2000 server SP4. The issue does* not occur with the hotfix for GDI (MS05-053) installedMicrosoft Windows Distributed Transaction Coordinator Remote Exploit (MS05-051)Please only view this POC exploit code present herehttp://www.frsirt.com/exploits/20051127.55k7-msdtc.c.php

Read other answers
RELEVANCY SCORE 62.8

Hi,

I have a Windows 2016 server that I ran the script fix on:

https://gallery.technet.microsoft.com/scriptcenter/Solve-SWEET32-Birthday-d2df9cf1

How a subsequent scan on this server still showed that the vulnerabilities exist on it. I manually checked the registry values and they were properly modified as per the script. However, still seeing the vulnerabilities.

Has anyone experienced this issue as well?

Thanks,
Tim

Read other answers
RELEVANCY SCORE 61.2

I frequently visit a website called comicbookresoures.com for news on the comic book industry and related topics. I have a Norton SafeWeb toolbar installed in my broswer on Internet Explorer 8. Yesterday, the SafeWeb icon displayed a caution icon. When I clicked it, it said that the website had a report on a virus threat. The report can be referenced as follows:
 
http://safeweb.norton.com/report/show?url=http:%2F%2Fwww.comicbookresources.com%2Fnews&product=N360&version=20.4.0.40&layout=OEM&lang=0901&source=toolbar
 
So, out of a sense of caution, I ran scans with Norton 360 (quick and full).  It found and removed tracking cookies.  I ran a scan with Norton Power Eraser and it fixed something with the registry.  Also, I ran scans with TDSS Killer and Malwarebytes Anti-Malware.  Nothing turned up there.  I also ran TFC to clear out the temp files.
 
So far, my PC has been functioning normally.  Is there anything else I should do just in case there is something else hiding on my PC that I don't know anything about?
 
((If you want, I can also forward the logs from Norton 360 and NPE.  I just need to know how I can access and post those logs for review)).
 
Thanks for your time.
 
 

A:Possible attack with Web Attack: Red Exploit Kit Website

I'm nor surprised.
Two days ago my web site was marked by Norton with "Caution".
Here is a funny (or tragic) part.
It was marked with "Caution" because of a few links leading to.....BleepingComputer, specifically to couple of registry fixes posted by....BC owner, Mr. Grinler.
 
On a top of it it happened for the second time this year for the very same links.
 
To make things even more pathetic re-evaluation link at Norton site didn't work so I had to email them.
They fixed it next day but do you want to trust them?
I won't.

Read other 6 answers
RELEVANCY SCORE 60.8

I have been running the trial activated version of HitmanPro Alert 3 on one PC, and during installation of program X it would flag the installer and terminate it's process.

How can I determine if it's a real exploit or just bad coding/script on behalf of developer?
Is it possible for Exploit Mitigation techniques to give False Positive results?
The software under question is licensed software, from a genuine brand used in businesses / work purposes.
 

A:Exploit Mitigation in HMP Alert 3: Bad code, real exploit or FP?

Huracan said:





I have been running the trial activated version of HitmanPro Alert 3 on one PC, and during installation of program X it would flag the installer and terminate it's process.

How can I determine if it's a real exploit or just bad coding/script on behalf of developer?
Is it possible for Exploit Mitigation techniques to give False Positive results?
The software under question is licensed software, from a genuine brand used in businesses / work purposes.Click to expand...

Yes it can have false positives!
For example I have been using it for quite some time and it blocks the "Internet download manager" plugin from working in Chrome!

What software are you talking about?
 

Read other 1 answers
RELEVANCY SCORE 57.6

MS09-003 (Critical) BulletinMS09-005 (Important 3X Vulnerability) BulletinShould be covered in Windows Updates within tonight and tomorrow, or next day (2-12).More vulnerabilities

Read other answers
RELEVANCY SCORE 57.6

"Day One" Exploits have been published for MS05-005 and MS05-009PoC's available for MS05-005 and MS05-009http://isc.sans.org//diary.php?date=2005-02-09Proof of concept code has been released for the MS05-005 (Microsoft Office URL handling) and MS05-009 (Multiple PNG file decode problems) issues. Both of these are on the critical patch list, and we expect to see malware utilizing either of these attacks in the near future. The portion of MS05-009 that relates to MSN Messenger; the CAN-2004-0597 libpng vulnerability, is especially serious, as CORE Security has determined that this attack may be possible to execute in a completely undetected manner to the end user with little to no user interaction, depending on MSN client settings.

Read other answers
RELEVANCY SCORE 56.4

DCOM Exploit attack
Does anyone know what this is and why i get so many of them?
They are being blocked by Avast.
Thank You,
Gary Teresi
 

Read other answers
RELEVANCY SCORE 56.4

For 2 days now my computer has been under attack.See a screen shot of Avast message--So far the attacks have not succeeded.They can't get past the firewall.Or past Avast...I was wondering if anyone else has been under attack?I guess this is the right area to post this in.I live in Virginia,USA.Mod Edit: Topic moved to a more appropriate forum - QM7

A:Dcom Exploit Attack

Network shield is meant to block known internet worms, "NETWORK SHIELD: BLOCKED "DCOM EXPLOIT" - ATTACK FROM 200.217.63.80:135/TCP" basicly means avast has blocked one (dcom exploit) and you are protected/safe.See the discussions here and here.

Read other 2 answers
RELEVANCY SCORE 56.4

Hiya

This is two-fold:

A vulnerability exists in Microsoft Word that could allow an attacker to run arbitrary code on a users system.
If a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges.
Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges.
A vulnerability exists in Microsoft Word that could allow an attacker to run arbitrary code on a users system.
If a user is logged on with administrative privileges, an attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges.
Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges.
Affected Software:

• Microsoft Word 2000 and Microsoft Works Suite 2001
• Microsoft Word 2002, Microsoft Works Suite 2002, Microsoft Works Suite 2003, and Microsoft Works Suite 2004
• Microsoft Office Word 2003

http://www.microsoft.com/technet/security/Bulletin/MS05-023.mspx

Regards

eddie
 

A:Vulnerabilities in Microsoft Word May Lead to Remote Code Execution

unsticking
 

Read other 1 answers
RELEVANCY SCORE 55.2

Norton detected an infection and I need help getting rid of it. It says it's high risk. I've attached the logs. Thanks.
Category: Intrusion Prevention
Date & Time,Risk,Activity,Status,Recommended Action,IPS Alert Name,Default Action,Action Taken,Attacking Computer,Attacker URL,Destination Address,Source Address,Traffic Description
11/4/2013 5:31:01 PM,High,An intrusion attempt by KATE-PC was blocked.,Blocked,No Action Required,Web Attack: Neutrino Exploit Kit Website 4,No Action Required,No Action Required,"KATE-PC (10.0.0.11, 51306)",reehoh7.nebraskasky.net:8000/zimwppoqbhlwmziet,"62.113.243.95, 8000",10.0.0.11 (10.0.0.11),"TCP, Port 51306"
Network traffic from <b>reehoh7.nebraskasky.net:8000/zimwppoqbhlwmziet</b> matches the signature of a known attack.  The attack was resulted from \DEVICE\HARDDISKVOLUME1\PROGRAM FILES (X86)\MOZILLA FIREFOX\FIREFOX.EXE.  To stop being notified for this type of traffic, in the <b>Actions</b> panel, click <b>Stop Notifying Me</b>.

A:PC infected with Web Attack: Neutrino Exploit Kit Website 4

Hello, Welcome to BleepingComputer.I'm nasdaq and will be helping you.If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.===Nothing suspicious was found on your DDS log.Please download AdwCleaner by Xplode onto your Desktop.Close all open programs and internet browsers.Double click on AdwCleaner.exe to run the tool.Click the Scan button and wait for the process to complete.Click the Report button and the report will open in Notepad.IMPORTANTIf you click the Clean button all items listed in the report will be removed.If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.Close all open programs and internet browsers.Double click on AdwCleaner.exe to run the tool.Click the Scan button and wait for the process to complete.Check off the element(s) you wish to keep.Click on the Clean button follow the prompts.A log file will automatically open after the scan has finished.Please post the content of that log file with your next answer.You can find the log file at C:\AdwCleaner[Sn].txt (n is a number). Please downloadJunkware Removal Tool to your Desktop.Please close your security software to avoid potential conflicts.Run the tool by double-clicking it. If you are using Windows Vista or 7, right-mouse click it and select Run as administrator.The tool will open and start scanning your system.Please be patient as this can take a while to c... Read more

Read other 10 answers
RELEVANCY SCORE 54

I was watching a video online using flash player, running in firefox with noscript and adblockplus running as extensions. I had disabled adblockplus on the webapge because the video refused to function if I did not, I had allowed most of the scripts on the page (including one from google) within noscript.
I started playing the video (it was on a large legitimate site http://yesterday.uktv.co.uk/shows/ but I'm concerned about malvertising here so that fact doesn't make much difference) and moments later a window (I'm pretty sure it was a window not a pop-up designed to look like one because it appeared in my taksbar too)appeared saying something about a runtime error in windows C++ (I'm afraid I cannot remember the exact message), and another window also appeared with a mesage saying flash had crashed and whether I wanted to stop it or try and continue. I stopped it, disconnected from the internet and closed the browser. I went back to the same site a little later after reconnecting and this time the video played.
I would like help in working out if this was an exploit performed against me, if it has put a viurs onto my machine.
What can I check to know if that has happened?
I've noticed flash player was acting a little differently to normal after I went back to watch the video (if I paused the video in fullscreen mode then seconds later it came out of fullscreen mode until I resumed playing the video).
This is what I have done so far to try and work out if an exploit... Read more

A:I need to work out if a crash in Flash Player was caused by an exploit attack

From Mozilla / Firefox Help pages, this check list is a place to start .........Not sure of any other ideas at this time ...
Testing Flash
Updating Flash
Uninstalling Flash
Troubleshooting
Flash plugin not working
The Adobe Flash plugin has crashed
Unresponsive plugin warning
Playing Flash videos makes Firefox hang
Cannot view full screen Flash videos
Flash does not work properly and/or will not update
Flash doesn't load video
Flash works in Internet Explorer or Chrome but not in Firefox

Read other 10 answers
RELEVANCY SCORE 52.8

My daughter played games [through facebook] on the computer for the last 3 weeks and has foolishly opened links in an emails  from an unknown parties.  AVG is popping up every minute with Poweliks attack to the registry every minute. Popups for Trojan horse Crypt_s.Hon came up. Also Exploit Java (type 1724):  howeled, hatbabsinotme.eu/z2lcgx2wxy has appeared. MalSign.Generic.373 has appeared twice.
 
Sometime during this same 3 weeks the settings for downloading things have changed. In IE I get "your current security settings do not allow this file to be download."  I have download issues in FF, also.  The computer is taking longer than normal to boot up. Web pages freeze or take 5-12 seconds to load.  Picture icons in windows explorer take 3-5 minutes to show the photo and some never do.  Ccleaner is taking 20 minutes to do what used to take 1 minute.
 
Spybot & Ccleaner say there are thousands of temporary files, where as there used to be only a couple hundred.   I clear things out 5x per week.  What a mess.
 
I'm editing this11/5/14:  I opened my computer and in 5 minutes AVG reported the virus JSFAKE Code, www.9v8Kxvfvw.com.... And, Poweliks attacks are being blocked blocked every 60 seconds. And AVG just blocked Adware Generic_r.PQ: 2-vinstaller.com/api/download?   HELP, please.
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.17344  BrowserJavaVersion: 10.67.2
Run by M... Read more

A:Poweliks attack every minute & Crypt-s.Hon; Java exploit: howeled; MalSign.Gener

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.
We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.
To help Bleeping Computer better assist you please perform the following steps:
*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/554798 <<< CLICK THIS LINK
If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.
***************************************************If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of t... Read more

Read other 29 answers
RELEVANCY SCORE 50.4

Published: January 7, 2005, 1:50 PM PSTBy Dawn Kawamoto Staff Writer, CNET News.comThree unpatched flaws in Internet Explorer now pose a higher danger, a security company warned after code to exploit one of the issues was published to the Internet. Secunia said Friday it has raised its rating of the vulnerabilities in Microsoft's browser to "extremely critical," its highest rating. The flaws, which affect IE 6, could enable attackers to place and execute programs such as spyware and pornography dialers on victims' computers without their knowledge, said Thomas Kristensen, Secunia's chief technology officer. Exploit code for one of the vulnerabilities, a flaw in an HTML Help control, was published on the Internet on Dec. 21 in an advisory by GreyHats Security Group. "In order for us to rate a vulnerability as extremely critical, there has to be a working exploit out there and one that doesn't require user interaction," Kristensen said. "This is our highest rating and is the last warning for users to fix their systems." The exploit code can be used to attack computers running Windows XP even if Microsoft's Service Pack 2 patch has been installed, Secunia said. The company is advising people to disable IE's Active X support as a preventative measure, until Microsoft develops a patch for the problem. It also suggests using another browser product.Full read:http://news.com.com/IE+flaw+threat+hits+th...457.html?tag=nl

Read other answers
RELEVANCY SCORE 49.6

Hello, I have this threat coming up every time i visit a website. Before the page opens this threat is being shown by AVG. You can see the screenshot for it. I am like helpless in this threat as i dont know where the file is located nor does AVG find it during the complete computer scan. Only after I connect to the Net and visit any website is it that it finds and shows this threat. Here is the image: I am currently using Windows XP Professional Service Pack 2 I also use Mozilla Firefox for surfing. I did update all the securities update from microsoft.com The threat does not come if i am not using any flash player in the site. But it comes once i use any flash player or any other java script. For eg: If i dont go to youtube.com then it does not come. Or even if i go there but dont play any video it does not come. But once i play that video then it starts coming again and again even if i visit any non flash player site like google. So this is what happens and once that threat starts coming i stop receiving packets from the net in the LAN connection sign. Then i have to refresh it again and agian to make my net work which is very irritating. Hope you understand my problem and help me out. Thanking you in advance. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 10:48:17 PM, on 8/28/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlog... Read more

A:Exploit MDAC ActiveX Code Threat

Read other 8 answers
RELEVANCY SCORE 49.6

Malicious code is living on weeks after it has been removed from websites thanks to an unexpected culprit - cache servers....According to Finjan Software...caching technology used by search engines, ISPs and large companies has been discovered to harbour certain kinds of malicious code even after the website that hosted it has been taken down.Such "infection-by-proxy" code can remain in caches for as long as two weeks, giving it a "life after death" at a time it would conventionally be assumed to have been neutralised...techworld.com

Read other answers
RELEVANCY SCORE 48.8

If you haven't updated your Firefox or Mozilla Web browser lately, now might be a good time to do so.Computer code that demonstrates how a known flaw in an older version of the browsers can be exploited in a potentially crippling attack was published on the Web over the weekend. The vulnerability was fixed in Firefox 1.0.5, released in July, and in Mozilla Suite 1.7.9, according to Mozilla.The code was published by Aviv Raff, a developer in Israel. "I think it's been enough time for people to upgrade from v1.0.4 of Firefox....By Joris EversStaff Writer, CNET News.comPublished: December 13, 2005, 3:47 PM PSTComplete article on Browsers vulnerability at C/NET NewsLatest version of Firefox 1.5

Read other answers
RELEVANCY SCORE 48.8

hi to all

i am facing a peculier problem in my site. the problem is slowing down of the site.
sometimes it happens that my site slows down (generally asp pages). when i see the iis log i found default.ida type of entries this was code red ii attack. how can i protect the site from code red ii attack. is firewall is usable. i have norton installed on the server but it does not detect the virus code red.

pls guide

diwakar
 

A:virus code red ii attack on iis

I'm not really familiar with server based problems, but I'd start by reviewing the Symantec help here for this:

http://securityresponse.symantec.com/avcenter/venc/data/codered.ii.html
 

Read other 1 answers
RELEVANCY SCORE 48.8

Users who have not yet installed the latest security updates from Microsoft could be vulnerable to attack from a malicious software program...The exploit code targets a vulnerability in the Remote Access Connection Manager (rasman) service, used by Windows to create network connections over the telephone...Hackers published the code on websites late last week, and it is now included in Metasploit, a hacking toolkit that is used by security researchers and criminals alike...Windows 2000 and Windows XP Service Pack 1 users need to be wary because they could be the victims of particularly nasty attacks that do not require authentication...pcadvisor.co.ukAnother reason to update since Windows XP SP1 and SP1a support ends on October 10, 2006.http://support.microsoft.com/gp/lifean19

Read other answers
RELEVANCY SCORE 48.8

US-CERT is aware of a vulnerability affecting HP Info Center Software, which allows one-touch access to features on HP laptops. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary commands or to view or alter the system registry on affected systems...us-cert.govHP has released a Critical Security Update to address this issue.

Read other answers
RELEVANCY SCORE 48.4

Quote:
A Russian security researcher on Thursday said he has released attack code that exploits a critical vulnerability in the latest version of Mozilla's Firefox browser.

The exploit - which allows attackers to remotely execute malicious code on end user PCs - triggers a heap corruption vulnerability in the popular open-source browser, said Evgeny Legerov, founder of Moscow-based Intevydis. He recently added it as a module to Vulndisco, an add-on to the Immunity Canvas automated exploitation system sold to security professionals.

"We've played a lot with it in our labs - it was very reliable," Legerov wrote in an email to The Reg. "Works against the default install of Firefox 3.6. We've tested it on XP and Vista."


Source -
Attack code for Firefox zero-day goes wild, says researcher ? The Register

A:Attack code for Firefox zero-day goes wild,..........

already been a revision to this: Mozilla Firefox/Thunderbird/SeaMonkey HTML Parser Remote Code Execution Vulnerability 2010-02-19 Mozilla Firefox/Thunderbird/SeaMonkey HTML Parser Remote Code Execution Vulnerability Mozilla Firefox CVE-2010-0159 Multiple Remote Memory Corruption Vulnerabilities 2010-02-19 Mozilla Firefox CVE-2010-0159 Multiple Remote Memory Corruption Vulnerabilities Mozilla Firefox and SeaMonkey SVG Document Cross Domain Scripting Vulnerability 2010-02-19 Mozilla Firefox and SeaMonkey SVG Document Cross Domain Scripting Vulnerability Mozilla Firefox and SeaMonkey 'showModalDialog' method Cross Domain Scripting Vulnerability 2010-02-19 Mozilla Firefox and SeaMonkey 'showModalDialog' method Cross Domain Scripting Vulnerability Mozilla Firefox and SeaMonkey Web Workers Array Data Type Remote Memory Corruption Vulnerability 2010-02-19 Mozilla Firefox and SeaMonkey Web Workers Array Data Type Remote Memory Corruption Vulnerability

Read other 1 answers
RELEVANCY SCORE 48.4

A known flaw in Internet Explorer could be exploited by software published on the web late yesterday. The code, posted yesterday to the Milw0rm.com website, exploits a recently patched flaw in Microsoft's browser. It could be used to run unauthorised software on a PC that wasn't updated with the latest Microsoft patches...pcadvisor.co

A:Ie Attack Code Published Online

Lucky I'm using FireFox

Read other 1 answers
RELEVANCY SCORE 48.4

Researchers at computer giant HP have published exploit code that can be used to attack a weakness in Internet Explorer, after Microsoft refused to issue a patch.In a blog post, Dustin Childs, HP senior security content developer, said the move to publish the flaw was not out of "spite or malice," but was in accordance with its own disclosure policy.
 
The bug allows an attacker to bypass Address Space Layout Randomization (ASLR), which acts as one of the many lines of defense in the popular browser. But the flaw only affects 32-bit systems, which the HP researchers said still affects millions of systems, even if many systems nowadays are 64-bit.
 

Article

A:Exploit code released for unpatched Internet Explorer flaw

John...I always err on the side of providing folks with more info rather than less. So good for HP and their policy.

Read other 1 answers
RELEVANCY SCORE 48

It has been a week since hackers released software that could be used to attack a flaw in Windows Vista and Server 2008, but Microsoft and security companies say that criminals haven't done much with the attack.



More -
Hackers ignore Windows attack code - Prevention - ComputerworldUK

Read other answers
RELEVANCY SCORE 48

Full exploit code was published this morning for MDAC vulnerability MS07-009. The original demonstration of this vulnerability occurred on July 29, 2006 in HD Moore's Month of Browser Bugs #29. At the time, only a denial-of-service demonstration was published.Here the full article of Websense

A:Full Exploit Code Was Published This Morning For Mdac Vulnerability Ms07-009

Exploits are published all the time..........

Read other 1 answers
RELEVANCY SCORE 47.2

I am running Vista home premium with firefox. I have tried Cureit, McAfee, Malwarebytes, manual in safemode, Cureit in Safemode, Malewarebytes in Safe Mode. It always shows clean but when I start up windows it says StService .exe error. Then STLog.dll error. Then Mcafee proceeds to pop up all the files they have "fixed". They're always there and I'm frustrated.
Thank you,
Dana

A:exploit CVE2007-0071, JS/Generic exploit.i, exploit PDF.f, and more

Hello.
I have run Cureit, Malwarebytes, mcafee and they find a clean system but there is obviously some trojans hanging around. I have tried safe mode and normal. At startup, the error: STService.exe unable to locate component. Failed to start because STLog.dll was not found. Then it proceeds to give error MOM.EXE application error. Then I get my trojan error for Exploit CVE2007-071 and the JS/Generic exploit.i error. It follows with internet explorer script error mentioning jl.chura.pl/rc/ (I use firefox and vista home premium)

Thank you in advance!
DDS (Ver_09-06-26.01) - NTFSx86
Run by gingereva at 8:00:44.40 on Tue 07/21/2009
Internet Explorer: 8.0.6001.18783 BrowserJavaVersion: 1.6.0_14
Microsoft? Windows Vista? Home Premium 6.0.6002.2.1252.1.1033.18.3326.2170 [GMT -4:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32&#... Read more

Read other 3 answers
RELEVANCY SCORE 46.4

My PC's been running wierd for about a week now and in that time numerous infections have been found, quarantined and removed. Last virus scan came back clear 'hooray!'... or so i thought...I use AVG free 8.5 and within the space of 45 mins i have received two seperate threat alerts. The first one was exploit phoenix exploit kit type 1112and the second one was exploit rogue scanner type 1148 The next step was unplugging it and drop kicking it out the window until these threat alerts popped up as it proves the machine is still under the influence of something. Can someone please advise me on the 'whats', 'hows' and 'whens' to restore my PC back to how it should be?Many much thanks in advance!

Read other answers
RELEVANCY SCORE 46

Company urges users to run single-click tool before hackers exploit 'decently wormable' SMB 2 flaw.
With attack code that exploits a critical unpatched bug in Windows likely to go public soon, Microsoft wants users to run an automated tool that disables the vulnerable component.
The bug in SMB (Server Message Block) 2, a Microsoft-made network file- and print-sharing protocol that ships with Windows, affects Windows Vista, Windows Server 2008 and preview releases of Windows 7.



Source -
Microsoft unveils shield for critical Windows flaw as attack code looms | Security Central - InfoWorld

Read other answers
RELEVANCY SCORE 45.6

this has to do with direct x. Each time I down load the fix, the fix tells me that i don't have the designated directx program
 

A:how to cure ms05-050

According to that security bulletin .......... http://www.microsoft.com/technet/security/Bulletin/MS05-050.mspx ......
Affected Components:

• Microsoft DirectX 8.0, 8.0a, 8.1, 8.1a, 8.1b, and 8.2 when installed on Windows 2000 Service Pack 4

• Microsoft DirectX 9.0, 9.0a, 9.0b, and 9.0c when installed on Windows 2000 Service Pack 4

• Microsoft DirectX 9.0, 9.0a, 9.0b, and 9.0c when installed on Windows XP Service Pack 1

• Microsoft DirectX 9.0, 9.0a, 9.0b, and 9.0c when installed on Windows Server 2003

The software in this list has been tested to determine whether the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support life cycle for your product and version, visit the Microsoft Support Lifecycle Web site.

Maybe you don't fall in to these categories? If, for instance you have XP service pack 2,
it would seem the patch doesn't apply.

The article has further info on how to determine what version of DirectX you have & if you need the patch.
 

Read other 1 answers
RELEVANCY SCORE 45.6

 
Several critical vulnerabilities in the protocol implementation used to synchronize clock settings over the Internet are putting countless servers at risk of remote hijacks until they install a security patch, an advisory issued by the federal government warned.
The remote-code execution bugs reside in versions of the network time protocol prior to 4.2.8, according to an advisory issued Friday by the Industrial Control Systems Cyber Emergency Response Team. In many cases, the vulnerabilities can be exploited remotely by hackers with only a low level of skill.
"Exploitation of these vulnerabilities could allow an attacker to execute arbitrary code with the privileges of the [network time protocol daemon] process," the advisory warned. Exploit code that targets the vulnerabilities is publicly available. It's not clear exactly what privileges NTP processes get on the typical server, but a handful of knowledgeable people said they believed it usually involved unfettered root access. Even if the rights are limited, it's not uncommon for hackers to combine exploits with privilege elevation attacks, which increase the system resources a targeted app has the ability to control.

 

Attack code exploiting critical bugs in net time sync puts servers at risk
 

Read other answers
RELEVANCY SCORE 45.2

Trend is reporting a trojan horse that might be the first example of a new exploit developed from the November security updates issued by Microsoft. Please update your PC with the latest security updates offered by Microsoft, as more developments could follow.Internet Storm Center: TROJ_EMFSPLOIT.A in the wildTrend Link: TROJ_EMFSPLOIT.A in the wildTrend Micro is reporting a trojan in the wild (TROJ_EMFSPLOIT.A) that is exploiting the recent MS05-053 vulnerability announced on Tuesday. The trojan causes EXPLORER.EXE to crash, which isn't so much fun for Windows users.Upon execution, this Trojan causes the EXPLORER.EXE of affected machines to crash. It may also cause applications that attempt to load it to crash. An example of an application that can load EMF files is Internet Explorer. This Trojan runs on Windows 2000 Service Pack 4 and XP with no Service Pack.

A:Ms05-053: Troj_emfsploit.a In The Wild

UPDATE: In a story reported yesterday (here), TrendMicro apparently now admits their analysts mis-anlyzed this trojan and that it does not actually exploit MS05-053.Comments: While both the Internet Storm Center and Trend originally noted an MS05-053 based exploit, the actual EMF based trojan is instead closely related. Hopefully, no true MS05-053 exploits will surface. While we have time, Trend's modified analysis of this theat doesn't diminish the important of keeping Windows, Macromedia Flash, and every product installed as up-to-date as possible.Source: Internet Storm Center revises TROJ_EMFSPLOIT.A analysis and notes that it is NOT related to MS05-053

Read other 1 answers
RELEVANCY SCORE 44.8

Please apply the January security updates from Microsoft ASAP. This brand new proof-of-concept could serve as a model for other developments. MS05-002: Backdoor.Globe POC Trojan http://secunia.com/virus_information/14495/globe/ http://www.sarc.com/avcenter/venc/data/backdoor.globe.html Backdoor.Globe is a proof-of-concept Trojan that exploits the Microsoft Windows LoadImage API Function Integer Overflow Vulnerability (described in Microsoft Security Bulletin MS05-002). The Trojan exists as javascript embedded in an HTML file that uses a malformed animated cursor (.ani) to cause a stack overflow. The Trojan does not affect Windows XP SP 2.Microsoft Security Updates for January 2005

Read other answers
RELEVANCY SCORE 44.8

winxp prof or OE problem here?

--------------------------------------------------------------------------------

Hi there, to who can help: thanks!

Used to , quite easily, click on a photo in my file and "send to" via outlook express; got option of making photos smaller and hey presto!

CANNOT DO THAT ANY MORE!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

tells me it is still "downloading" onto OE, the address wont automatically pick up and if I do get to send it it goes full size , enormous amounts of space.

so what΄s happened here??????

all help is, as always, much appreciated

regrads

Dd

desireepp
View Public Profile
Send email to desireepp
Find all posts by desireepp
Add desireepp to Your Buddy List
#2 20-Feb-2005, 07:28 PM
desireepp
Member Join Date: May 2003
Location: Brazil
Posts: 79

NO ONE KNOWS???: winxp prof or OE problem here?

--------------------------------------------------------------------------------

any ideas where to get answers for this issue?

is still bugging me...............

(((((

thanks

desireepp
View Public Profile
Send email to desireepp
Find all posts by desireepp
Add desireepp to Your Buddy List
#3 Yesterday, 02:35 AM
tuffguy
Senior Member Join Date: Feb 2003
Location: Missouri
Posts: 130

It appears to be an XP problem. Read this and see if it helps. http://support.microsoft.com/default.aspx?scid=kb;enus;883393
__________________
System specs
Windows XP Pro
Asus A7N8X deluxe 2.0
Athlon xp2500 bar... Read more

Read other answers
RELEVANCY SCORE 44.8

The Mytob worm has been modified to include MS05-039 exploitation. F-Secure gives this a MEDIUM RISK rating (2 of 3 on the Radar scale). KEY LINKSMS05-039: Zotob.A Worm - F-Secure (MEDIUM RISK)MS05-039: Zotob.A Worm - F-Secure WEBLOGMS05-039: Zotob.A Worm - F-Secure (MEDIUM RISK)Zotob.A is a Mytob clone that spreads using a vulnerability in Windows Plug and Play service (MS05-039). Spreading using Plug and Play service vulnerability The worm scans for systems vulnerable to Microsoft Windows Plug and Play service (MS05-039) through TCP/445. If the attack is successful, the worm instructs the remote computer to download and execute the worm from the attacker computer using FTP. The FTP server listens on port 33333 on all infected computers with the purpose of serving out the worm for other hosts that are being infected. The downloaded file is saved as 'haha.exe' on disk.urity/Bulletin/MS05-039.mspx

A:MS05-039: Zotob.A Worm -- In-the-wild

Symantec Infohttp://www.sarc.com/avcenter/venc/data/w32.zotob.a.htmlInternet Storm Centerhttp://isc.sans.org/diary.php?date=2005-08-14Important facts so far:- Patch MS05-039 will protect you- Windows XP SP2 and Windows 2003 can not be exploited by this worm, as the worm does not use a valid logon.- Blocking port 445 will protect you (but watch for internal infected systems)- The FTP server does not run on port 21. It appears to pick a random high port.

Read other 2 answers
RELEVANCY SCORE 44.8

A new attack based on August's security bulletin MS05-039 surfaced overnight. This new threat remains at low risk currently. This was initially reported as an MS05-047 exploit, but after further analysis McAfee has confirmed this exploit was not used, as noted in the post below MS05-039 -- Mocbot IRC Worm in the wild http://secunia.com/virus_information/22746/irc-mocbot/http://www.f-secure.com/v-descs/mocbot.shtmlhttp://vil.nai.com/vil/content/v_136637.htmThis botnet client was spread using the MS05-039 vulnerability in October 2005. This trojan installs itself in the WINDOWS SYSTEM directory as wudpcom.exe. It creates a service called "wudpcom". Once instructed, the bot scans the class A subnet addresses, sending SYN packets via TCP 139 (netbios), and 445 (microsoft-ds).SYMPTOMS1. Heavy netbois and microsoft-ds network traffic 2. Presense of the file wudpcom.exe in the WINDOWS SYSTEM directory 3. TCP 18067 connections to hostile websitesInformation on the MS05-047 exploit, which attacks PnP security in a similar fashion to MS05-039 is noted below:FrSIRT has also published POC code for ms05-047 exploit

A:Ms05-039 -- Mocbot Irc Worm In The Wild

After further testing McAfee/AVERT has confirmed this new IRCbot uses MS05-039 from August. Thankfully, a little more time remains to complete corporate updates. Still, with at least 4 published exploits from October in the wild, it's critical to test and patch all PCs and Servers quickly -- AVERT/McAfee Update Oct 23, 2005 -- After further analysis, AVERT has confirmed that this threat does not exploit MS05-047, but rather MS05-039. Initial analysis suggested the MS05-047 was being exploited due to similarities between those exploits (including overlapping code between publicly available source code), field infection reports where administrators incorrectly stated that machines were patched from MS05-039, and similarities between an earlier MS05-039 exploiting bot, where the only significant change was the exploit code being used.Additionally, AVERT has confirmed that automated propagation has/had been configured on remote IRC servers, such that infected systems that are able to connect to the remote IRC server are immediately instructed to seek out vulnerable systems to infect them. This threat exploits the MS05-039 Microsoft Windows vulnerability.

Read other 1 answers
RELEVANCY SCORE 44.8

A Trend Micro security check apparently has detected a high-risk vulnerability with the related bulletin MS05-004. I clicked on Windows Update which led to a High-priority update for Windows XP: Microsoft .NET Framework 1.1 Service Pack 1

I'm curious as to why I would be getting this high-priority update notice. I supposedly get my Windows Updates automatically installed. And isn't this something that should've been installed quite some time ago? Apparently it was published in 2004.

I'm assuming I should go ahead and install this update which I figure I should've already had. It says that once it's been installed, it can't be removed. Is it possible that I could've somehow had it accidentally removed from my system and that I now need to reinstall it?

I would greatly appreciate hearing from anyone who is able to understand what is going on. Thank you very much.
 

Read other answers
RELEVANCY SCORE 44.4

Hi everyone, new here. Got some problems with my compas you can tell and I hope you guys can help me with it.

Thanks!

Summary:

C:\Documents and Settings\Local Settings\Temporary Internet Files\Content.IE5\MD6GXSRL\sp2-cpx-728[1].swf=>[SWF command] Infected: Trojan.SwfDL.A
C:\Documents and Settings\Local Settings\Temporary Internet Files\Content.IE5\MD6GXSRL\sp2-cpx-728[1].swf=>[SWF command] Disinfection failed
C:\Documents and Settings\Local Settings\Temporary Internet Files\Content.IE5\MD6GXSRL\sp2-cpx-728[1].swf=>[SWF command] Move failed
C:\Documents and Settings\Local Settings\Temporary Internet Files\Content.IE5\WHZTBVYV\sploit[1].anr Infected: Exploit.Win32.MS05-002.Gen
C:\Documents and Settings\Local Settings\Temporary Internet Files\Content.IE5\WHZTBVYV\sploit[1].anr Disinfection failed
C:\Documents and Settings\Local Settings\Temporary Internet Files\Content.IE5\WHZTBVYV\sploit[1].anr Moved
C:\Program Files\DAEMON Tools\SetupDTSB.exe Detected: Application.Adware.Savenow.G
C:\Program Files\Viewpoint\Viewpoint Manager\ViewCP.cpl Detected: Application.Viewpoint.A
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe Detected: Application.Viewpoint.DR
C:\Program Files\Viewpoint\Viewpoint Media Player\DownloadedComponents\VMgr_Win\Exec.exe Infected: Dropped:Application.Viewpoint.DR
C:\Program Files\Viewpoint\Viewpoint Media Player\DownloadedComponents\VMgr_Win\Exec.exe Disinfection failed
C:\Program Files\Viewpoint\Viewpoint Media Player\DownloadedComponent... Read more

A:Trojan.swfdl and xploit.Win32.MS05-002.Gen...need help!

anyone? or do i need to put more info?
 

Read other 2 answers
RELEVANCY SCORE 44.4

This new threat arrives as a Word document and manipuates unpatched Windows PCs, manipulating the recent MS05-016 patch which was part of the April 2005 updates provided by Microsoft. MS05-016:VBS_RUNEXPLT.C (arrives as Word Document)http://secunia.com/virus_information/18394/This malicious VBScript file takes advantage of the Windows Shell vulnerability, which could allow a remote malicious user to execute arbitrary code on the affected system. For more information about this vulnerability, please refer to the following Microsoft page: Microsoft Security Bulletin MS05-016 It usually arrives on a system as a Microsoft Word document. When executed on a vulnerable machine, it attempts to download and execute a file, which may also be malicious in nature, from the following location: Nnpyf.c{BLOCKED}nn.com. This malicious VBScript file runs on Windows 98, ME, 2000, and XP.April 2005 - Microsoft Security Bulletin MS05-016http://www.microsoft.com/technet/security/...n/MS05-016.mspx

Read other answers
RELEVANCY SCORE 44.4

Below are the recommended general cleaning techniques for MS05-039 infections associated with the Windows 2000 environment. The key steps are to remove the current virus with a standalone removal tool, get Windows 2000 to Service Pack 4, and then apply the MS05-039 patch so you system is bullet-proof from current and future infections based on this specific security exposure.1. IF NEEDED: Download Windows 2000 Service Pack 4 plus the MS04-011 patch. (this step can be skipped if user has these)2. Download MS05-039 patch from Microsoft3. Download McAfee's Stinger standalone cleaning tool (which handles all major Zobot and other MS05-039 threats). Other AV and MS based standalone cleaners can be used also.note - in steps 1-3, you may need to use another uninfected PC if they have the continuous reboot issue; also AV and Firewall protection may be gone as these worms clobber most of the popular ones. You can copy to and from a CD or USB memory stick to capture these repair tools. Stinger should fit on a diskette4. Run McAfee's Stinger cleaning tool (or other standalone AV or MS cleaningtools) to remove worm infection5. IF NEEDED: Apply Windows 2000 SP4 and then reboot. Then apply the MS04-011 which provides protection against Sasser. 6. Apply the MS05-039 patch from Microsoft and reboot7. Connect back to the Internet and run Windows Update Then update your Antivirus software. Update or add a firewall system if you need one. 8. From a lessons learned standpoint - ... Read more

A:MS05-039 Cleaning infections for Windows 2000 PCs

Microsoft offers Zotob removal tool.Microsoft has made available a free software tool to help victims of the worms that hit Windows computers in the past days clean their systems. The cleaning program, released Wednesday, is an updated version of Microsoft's Windows Malicious Software Removal Tool...The updated cleaning program checks for and removes infections from Zotob.A through Zotob.E, as well as from Bobax.O, Esbot.A, Rbot.MA, Rbot.MB and Rbot.MC, according to Microsoft. The list represents all known variants based on Microsoft's investigation...Published: August 17, 2005, 6:40 PM PDTBy Joris EversStaff Writer, CNET News.comComplete article at CNET News

Read other 1 answers
RELEVANCY SCORE 43.6

The Internet Storm center reports that a highly automated home page hijacking attack is occurring on vulnerable servers and workstations using MS05-001 and MS05-002 exploits. A Google search this morning notes that the 7sir7 hacker site is shutdown but affected PCs would still attempt to go there. Entire web farms hacked to serve up the 7sir7 redirect http://isc.sans.org//diary.php?date=2005-03-13http://www.google.com/search?&q=7sir7We have received reports and evidence that a number of companies that provide shared hosting web servers have had their servers exploited and all of the customer homepages modified so that visitors are attacked. In one case, a Perl script was used to modify each customers homepage with the additional IFRAME snippet that fellow handler Lorna had already reported in the diary two days ago. The Perl script reads in the web server configuration (httpd.conf) on a compromised server, and then appends the malicious iframe code to all the index.html pages of all the virtual hosts available on this server. The same reader who managed to isolate this script has also contributed a script written by himself to clean up the affected pages. If you shout loud enough, we might include it in tomorrow's diary :-) The page at 7sir7 is making use of several recent vulnerabilities in order to download and install malware on the PC of whoever visits the site. - Exploits the .ANI cursor vulnerability (MS05-002)- Exploits the HTML Help Cross Domain Vulnerability (MS... Read more

Read other answers
RELEVANCY SCORE 43.6

W32/Dasher-B is a worm for the Windows platform. W32/Dasher-B spreads by exploiting the MSDTC (MS05-051) vulnerability. When run the worm creates the following files :<Windows system folder>\wins\sqlexp.exe<Windows system folder>\wins\sqlscan.exe<Windows system folder>\wins\svchost.exe Sqlscan.exe is a port scanner, used to search networks for open ports.Sqlexp.exe and svchost.exe are detected as W32/Dasher-B. W32/Dasher-B searches a set of pre-defined networks for open ports and attempts to exploit and vulnerable computers it finds. The exploit opens a backdoor on the vulnerable computer and causes it to connect to a remote server for further instructions. At the time of writing the instructions supplied by the remote server cause the exploited computer to download and execute two further programs.

The current version of this MS05-051 based Internet worm has some bugs. This new development should be watched, as future variants could improve their capability to spread. Sophos informationhttp://www.sophos.com/virusinfo/analyses/w32dasherb.htmlF-Secure: http://www.f-secure.com/weblog/archives/ar...5.html#00000735ISC: MS05-051 (MSDTC) Malware / Port 1025 http://isc.sans.org/diary.php?storyid=934

Read other answers
RELEVANCY SCORE 42.8

Hi. For the past week I've been having redirecting issues on Google links and as of today it takes multiple reloads before I can get to the Google site/applications. I scanned my PC with AVG Free 2012 and I'm told I have Trojan Horse Crypt.ANVH, which is whitelisted by AVG. Late last night I started getting messages about Exploit Phoenix Exploit Kit (Type 769) which was located in svc.host. SVC.HOST randomly goes from 90k mem usage to 500k- 1million usage. I'm also getting tons of random cookies (which I think the trojan is the cause?) just from being connected to the internet, though I won't have any applications open at the time. When I ran Gmer like the Welcome Guide said to, the application kept freezing in the middle of scanning, so I had to download the .EXE file instead of the .ZIP, but that didn't work either (1st try: froze computer. 2nd try: computer froze then randomly rebooted). I am currently rerunning Gmer under the name iexplorer.exe, but I want to get this post up as soon as possible to get this fixed. I'll post the data, if I can get it, from Gmer when it pops up down below. One last thing -phew- My windows firewall, when I double-click to activate it, gives me a message "Windows Firewall settings cannot be displayed because the associated service is not running. Do you want to start the Windows Firewall/Internet Connection Sharing (ICS) service?". When I click yes, I then get the message "Windows cannot start the Wind... Read more

A:Infected with: Trojan Horse Crypt.ANVH and Exploit Phoenix Exploit Kit (Type 769)

Hello and welcome to the forums!My secret agent name on the forums is SweetTech (you can call me Agent ST for short), it's a pleasure to meet you. I would be glad to take a look at your log and help you with solving any malware problems.If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed. If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
In Windows Vista and Windows 7, all tools need to be started by right clicking and selecting Run as Administrator!
If I instruct you to download a specific tool in which you already have, please delete the copy that you have and re-download the tool. The reason I ask you to do this is because these tools are updated f... Read more

Read other 27 answers