[Dshield] Anyone seen
corinnec at abdi.com
Wed Feb 25 22:07:29 GMT 2004
The only things I could dig up on Sndman.exe is that it is possibly
something related to sound apps or the sound card on the computer, so it may
not be anything to worry about, but I've never had that service on any of my
computers so I can't say for certain.
One other item of note. I don't believe SUS pushes out MS Office patches
and service packs, and there are several patches/SP's for all versions of
Office available. Do you run any versions of Word, Excel, Outlook, etc. in
your environment? They are another possible area of attack from infected
documents, etc. There's also always the possibility that something was
exploited before it was patched and that it is a custom job or something not
detected by AV.
Although, I'm not really convinced that there is actually an exploit going
on here without more data and proof. It could be traffic due to equipment
(hubs) or even something misconfigured somewhere; I'd say there are at least
a couple of possibilities that aren't necessarily the result of infection or
intrusion. I'd say do more investigation into the services, search for
suspicious open ports on the machines and use a sniffer to see if there's
any suspicious traffic that might point towards something more definite.
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
Of Daugherty Bryan
Sent: Wednesday, February 25, 2004 1:01 PM
To: General DShield Discussion List
Subject: RE: [Dshield] Anyone seen
I checked each pc in question and they were in fact up to date. I have been
successful in using SUS to push SPs and critical updates. My AV console
allows me to manually push AV def's to those few pc's that might miss an
auto update. I check for OS updates and AV updates several times a day.
I do see some similarities to Gaobot. However, I would like to think my
virus engine would detect this by now.
More information about the list