netbuie.exe, and

From: Edwards, David (JTS) (Edwards.Daveat_private)
Date: Mon May 06 2002 - 17:40:06 PDT

  • Next message: Head of the Councel of Wizards: "RE: info"

    We've just found some instances of "netbuie.exe" running in some terminal
    server sessions here.  The file was written to the Winnt\system32 directory
    about 6:00pm on Sunday and registry entries made in:
    HKLM/Software\Microsoft\windows\current version\run
    It seems to be a Vb 5 PE that hits on two web sites, and when run.  Possibly just generating revenue for
    some bod somewhere.
    Looks like the server wasn't fully patched, hfnetchk showed 6 Win2k Server
    patches missing and 2 IE6.
    This sounded familiar (when I first saw it) but I haven't been able to find
    any other references so I thought I'd make one :-)   The worry is (of
    course) that the server is further compromised.  Anyone seen this before?
    Dave Edwards 
    Justice Technology Services
    Ph: +61 8 82265426 || 0408 808355 
    mailto: edwards.daveat_private
    Snail : Justice Technology Services 
            GPO Box 2048, Adelaide 5001
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Tue May 07 2002 - 08:51:37 PDT