[Dshield] Interesting Prefetch file in Windows XP and MSBLAST.exe

Johannes B. Ullrich jullrich at sans.org
Fri Aug 15 13:56:46 GMT 2003


This message was converted from multipart/signed to ascii armored
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable


I think (not tested yet) that the prefetch file is left if the tftp
session blaster starts is interrupted. This should be quite common given
that tftp isn't all that robust and the machine is under some distress
as a result of being infected.

If you find the file: rebuild. Windows Update may be failing due to one
of the RPC DCOM autorooters messing with it before the worm hit?


On Fri, 2003-08-15 at 09:16, Deb Hale wrote:
> Yes,  I have a laptop that has the same file.  I am having a problem with
> this one finishing the windows updates that have not been installed.  I am
> getting an error that says that the software key is invalid. Not sure what
> is going on - will let you know if I figure something out - if anyone has
> any ideas let me know.  Deb
> 
> Deborah F Hale
> Certified Business Continuity Professional/Computer Security Specialist
> BCP Enterprise, Inc
> Telephone: (712) 252-0361
> www.bcpenterprise.com
>  
> 
> 
> -----Original Message-----
> From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
> Of DAN MORRILL
> Sent: Thursday, August 14, 2003 7:46 PM
> To: incidents at incidents.org; list at dshield.org
> Subject: [Dshield] Interesting Prefetch file in Windows XP and MSBLAST.exe 
> 
> 
> This has only appeared on multiple Windows XP SP1 with MS-026 et al patches.
> 
> But interesting all the same.
> 
> But have noticed that MSBLAST.EXE is in a prefetch file from under 
> c:\windows\prefetch as msblast.exe-09FF8F2.pf
> 
> Seems to be unique and hoping that someone else has either seen anything 
> similar or otherwise.
> 
> Has anyone seen anything similar to this?
> 
> Thanks!
> r/
> Dan
> 
> 
> Dan Morrill
> 
> 
> 
> Sometimes MSN E-mail will indicate that the mesasge failed to be delivered. 
> Please resend when you get those, it does not mean that the mail box is bad,
> 
> merely that MSN mail is over worked at the time.
> 
> Otherwise, hope things are going well.
> r/
> Dan
> 
> _________________________________________________________________
> MSN 8 with e-mail virus protection service: 2 months FREE*  
> http://join.msn.com/?page=features/virus
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list
> 
> 
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
-- 
SANS - Internet Storm Center
http://isc.sans.org
PGP Key: http://isc.sans.org/jullrich.txt

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQA/POaeR1p7hYJvB/wRAs3+AJ9QE+DNyFPxRAhoJs/NlDdkvYiitACeKqyX
UE63JOC1K//fwBSzYKRTfhY-----END PGP SIGNATURE-----

--
SHA1



More information about the list mailing list