Hello Lee,
That file is not malware. It is a DCOM disabler.
It sets the key EnableDCOM from
HKLM\Software\Microsoft\Ole\ to 'N'. By this the computer is
immune to the RPC/DCOM exploit.
Wednesday, August 6, 2003, 1:50:13 PM, you wrote:
LE> Hi All,
LE> I have found an executable called secure.dcom.exe when looking around a
LE> customers server. They hadnt patched the server above SP4 and I assume it
LE> has been exploited using the RPC DCOM vulnerability. A serv-u ftp server has
LE> been installed, but im still looking into it to see if I can spot anything
LE> else. Netstat shows a bunch of outgoing connections to 6667 -
LE> irc.homelien.no. Unfortunately there are no IDS or other systems on this
LE> network segment I can use, so im looking for someway to capture this traffic
LE> and hopefully track down some more details on the irc traffic - if anyone
LE> can recommend a good (preferably free) traffic sniffer I can quickly install
LE> on the host locally (win2k sp4) to decode the IRC traffic I would be
LE> grateful.
LE> The exe is available from http://www.leeevans.org/secure.dcom.exe - if
LE> anyone wants a look. I'd be interested to know more about it, if anyone has
LE> come across it before or can find out.
LE> Regards
LE> Lee
--
Best regards,
Sorin Victor Dudea
BitDefender Head of Antivirus Research
E-mail: sdudeaat_private, sdudeaat_private
www.bitdefender.com
www.softwin.ro
---------------------------------------------------------------------------
----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri Aug 08 2003 - 12:09:48 PDT