[Dshield] w32 rpc virus pop-up

dcm2002@sbcglobal.net dcm2002 at sbcglobal.net
Thu Sep 4 12:20:37 GMT 2003


This could be an IE "chromeless" window, which is a frameless window. It
can overlay another IE popup and hide the real meaning of OK. There was
some discussion on this about a month ago in BugTraq, with some very
scary examples. 

The thread starts with 
http://www.securityfocus.com/archive/1/328947

There were some good "examples" in the thread on how chromeless windows
could be used to Human Engineer someone to download and run code.


David Mehl
Houston TX  USA
dcmehl AT sbcglobal DOT net 

-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On
Behalf Of Rick Klinge
Sent: Wednesday, September 03, 2003 10:06 PM
To: General DShield Discussion List
Subject: RE: [Dshield] w32 rpc virus pop-up


have you thought about stopping and disabling the windows messenger?

http://www.theeldergeek.com/messenger.htm


yet another spammer hole..

~Rick

hehe.. more reasons to block ports.. ;-)


-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org]On
Behalf Of Johannes Ullrich
Sent: Wednesday, September 03, 2003 9:27 PM
To: General DShield Discussion List
Subject: Re: [Dshield] w32 rpc virus pop-up



Sounds like popup spam. Do you have a firewall? Is port 135 and 1026
closed?

On Wed, 2003-09-03 at 21:37, Lindsey Mason wrote:
> Has anyone seen an Internet Explorer window stating that W32 RPC Virus
> Detected.  It provides a OK button and prompts you to click on OK to
Scan
> and Clean.  I have seen this once at work (W2K) and just now at home
(XP).
> I can't seem to find any info about it from Symantec.  I ran a manual
scan
> on my workstation and it is clean.
>
> Thanks,
>
> Lindsey Mason
>
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
--
--------------------------------------------------------------
Johannes Ullrich                     jullrich at euclidian.com
pgp key: http://johannes.homepc.org/PGPKEYS
--------------------------------------------------------------
   "We regret to inform you that we do not enable any of the
    security functions within the routers that we install."
         support at covad.net
--------------------------------------------------------------


_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
___________________________________________________________________
Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.


___________________________________________________________________
Virus Scanned and Filtered by http://www.FamHost.com E-Mail System.

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list