Hello Lee, That file is not malware. It is a DCOM disabler. It sets the key EnableDCOM from HKLM\Software\Microsoft\Ole\ to 'N'. By this the computer is immune to the RPC/DCOM exploit. Wednesday, August 6, 2003, 1:50:13 PM, you wrote: LE> Hi All, LE> I have found an executable called secure.dcom.exe when looking around a LE> customers server. They hadnt patched the server above SP4 and I assume it LE> has been exploited using the RPC DCOM vulnerability. A serv-u ftp server has LE> been installed, but im still looking into it to see if I can spot anything LE> else. Netstat shows a bunch of outgoing connections to 6667 - LE> irc.homelien.no. Unfortunately there are no IDS or other systems on this LE> network segment I can use, so im looking for someway to capture this traffic LE> and hopefully track down some more details on the irc traffic - if anyone LE> can recommend a good (preferably free) traffic sniffer I can quickly install LE> on the host locally (win2k sp4) to decode the IRC traffic I would be LE> grateful. LE> The exe is available from http://www.leeevans.org/secure.dcom.exe - if LE> anyone wants a look. I'd be interested to know more about it, if anyone has LE> come across it before or can find out. LE> Regards LE> Lee -- Best regards, Sorin Victor Dudea BitDefender Head of Antivirus Research E-mail: sdudeaat_private, sdudeaat_private www.bitdefender.com www.softwin.ro --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Fri Aug 08 2003 - 12:09:48 PDT