Focus on Virus Mode:
(Page 15 of 62)  < Prev  10 11 12 13 14 15 16 17 18 19 20  Next >
Re: wintbp.exe 2005-08-17
alex shipp (ashipp messagelabs com)
> From: "Mike" <mjcarter (at) ihug.co (dot) nz [email concealed]>
> ...
> AV is reactive by design...

Where have you been the last 5 years?

Some AV is reactive in design, but not all. For instance, McAfee products such
as McAfee VirusScan 8.0 can prevent the attack with the generic buffer overflow protection enabled. No
doubt

[ more ]  [ reply ]
Re: wintbp.exe 2005-08-18
shantinathteradale yahoo com
Yes it is known as WINTBP virus and you need to apply the latest MS patch MS05-039 and MS05-041 to protect your server against this virus.

However you need to remove the virus from your servers if they are already infected. Here is the procedure to remove the virus.

1. Open Task Manager and end t

[ more ]  [ reply ]
RE: wintbp.exe 2005-08-17
ttate ctscorp com
For those of you being infected by this, how did this get into your network(s)? Are ports 139 & 445 blocked at the perimeter?

Troy Tate
IT Security Manager
CTS Corp.
574-293-7511 x397
574-294-5718 fax

[ more ]  [ reply ]
wintbp.exe 2005-08-17
Schlegel, Justin (justin schlegel ICTGROUP COM)
I can tell you from battling this beast for 12 hours that AV sigs will
stop it (at least Etrust can.) I was almost certain that it would not
be able to but after loading the new beta sig on our machines I
noticed that the system shutdown had ceased and the suspect file was
gone. Upon checking

[ more ]  [ reply ]
RE: wintbp.exe 2005-08-17
Schlegel, Justin (justin schlegel ICTGROUP COM)
Yes I would have liked to provide additional information but I was dealing
with a worm for which no definitions existed. I simply noticed a 6000
machines shutting down on their own. Wintbp.exe was running on every one of
those machines. I understand that malicous code could generate random
filenam

[ more ]  [ reply ]
RE: wintbp.exe 2005-08-17
Dowling, Gabrielle (dowlingg sullcrom com) (1 replies)
But the file download and execution therefore is the infection, the
buffer flow is merely the process that permits an automatic download and
execution to occur. If your av sigs are current they should prevent the
file from being written to disk (And perhaps thas where you're seeing
your alerts) and

[ more ]  [ reply ]
RE: wintbp.exe 2005-08-17
Mike (mjcarter ihug co nz)
Re: wintbp.exe 2005-08-17
William O'Malley (wo andrew cmu edu)
Good points. More data would help as would not guessing.

On 8/16/05 11:49 PM, "Nick FitzGerald" <nick (at) virus-l.demon.co (dot) uk [email concealed]> wrote:

> From the incredible paucity of data posted, it certainly sounds as if
> it might be that...
>
> BUT, the data posted does not rule out that it is, in fact, the nex

[ more ]  [ reply ]
Re: wintbp.exe 2005-08-17
Nick FitzGerald (nick virus-l demon co uk)
womalley (at) cmu (dot) edu [email concealed] wrote:

> Don't know if anyone responded yet, but this looks like zotob.e (MS05-039
> Plug and Play vulnerability).
> http://securityresponse.symantec.com/avcenter/venc/data/w32.zotob.e.html

From the incredible paucity of data posted, it certainly sounds as if
it might be that...

[ more ]  [ reply ]
RE: wintbp.exe 2005-08-17
Joswiak, Johnny G. (jgjoswia UTMB EDU)

Oh yes it's true for this worm. The systems rebooting is a symptom of the buffer overflow.
The infectious executable is downloaded to the system after the buffer overflow occurs. The AV products WILL NOT stop the system from being infected, they will find the downloaded file afterwards!
Patch the s

[ more ]  [ reply ]
Re: wintbp.exe 2005-08-17
jayjwa (jayjwa atr2 ath cx)

On Tue, 16 Aug 2005, Jacob Bresciani wrote:

-> Was this being started up in the registry?
-> HKLM\Software\Microsoft\Windows\Current Version\Run....
-> or somewhere else?

HKLM, like usual, is what I heard. Run, I'd check RunOnce, RunServices,
etc... In other words, don't count to much on where t

[ more ]  [ reply ]
RE: wintbp.exe 2005-08-17
Dowling, Gabrielle (dowlingg sullcrom com)
Despite what Russ Cooper posted on NTBugtraq two years ago in the wake
of Blaster, that is NOT true (and wasn't true then). While Blaster,
Sasser, and the recent MS05-039 exploits rely on a buffer overflow for a
remote infection mechanism, they all use the vulnerability to download
an infectuous exe

[ more ]  [ reply ]
RE: wintbp.exe 2005-08-16
Martin Chester - cmarti (Chester Martin acxiom com)
For some reason I get emails from this list, but can't post emails to
it.

Submit the file to www.virustotal.com, it scans the file with multiple
antivirus vendor's products and gives the results. It's really nice...

-----Original Message-----
From: Schlegel, Justin [mailto:justin.schlegel@ICTGROU

[ more ]  [ reply ]
RE: wintbp.exe 2005-08-16
Schlegel, Justin (justin schlegel ICTGROUP COM)
Yes this file was located in a key named wintbp located in the run section
of the registry. I believe that this worm is using the same exploits that
are addressed in MS05-039. I have confirmed that once I delete the
file/registry keys and load the patch that addresses MS05-039 my symptoms go
away.

[ more ]  [ reply ]
RE: wintbp.exe 2005-08-16
Ellis, Steven (steven ellis cgi com)
The same virus seems to have hit CNN and is being shown live at this
time and the words are "be patient for a few more hours for a fix".

Regards,
Steve Ellis CISSP

-----Original Message-----
From: Schlegel, Justin [mailto:justin.schlegel (at) ICTGROUP (dot) COM [email concealed]]
Sent: August 16, 2005 3:01 PM
To: focus-virus

[ more ]  [ reply ]
RE: wintbp.exe 2005-08-16
Dowling, Gabrielle (dowlingg sullcrom com)
Sounds like this rbot variant:
http://vil.nai.com/vil/content/v_135491.htm

G

-----Original Message-----
From: Schlegel, Justin [mailto:justin.schlegel (at) ICTGROUP (dot) COM [email concealed]]
Sent: Tuesday, August 16, 2005 3:01 PM
To: focus-virus (at) securityfocus (dot) c [email concealed]
Subject: wintbp.exe

Hi,

My company has recently been hit w

[ more ]  [ reply ]
RE: wintbp.exe 2005-08-17
Joswiak, Johnny G. (jgjoswia UTMB EDU)
CA is calling it Win32.Peabot.A with a "Medium" alert, McAfee is calling it "W32/IRCbot.worm!MS05-039", Symantec has the Zotob.e, etcetera.
Patch the systems, this is an MS05-039 exploit. The various antivirus companies can only provide cleanup after the worm hits unless they have buffer overflow p

[ more ]  [ reply ]
RE: wintbp.exe 2005-08-16
sk3tch sk3tch net

MD5SUM 7a67f7a8c844820c1bae3ebf720c1cd9 (wintbp.exe)

Trend Micro: WORM_RBOT.CBQ -
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_RBO

T.CBQ
Symantec: Win32.Zotob.E
McAfee: exploit-dcomrpc
Kaspersky: Net-Worm.Win32.Small.d

-----Original Message-----
From: Schlegel, Justin [mai

[ more ]  [ reply ]
RE: wintbp.exe 2005-08-16
Christian Kernodle (christian kernodle jmmdhs com)
Check CNN.com
http://www.cnn.com/2005/TECH/internet/08/16/computer.worm/index.html

And Trendmicro.com:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FR

BOT%2ECBQ&VSect=Sn

Looks like CNN/ABC got taken down by this bugger.

CK

-----Original Message-----
From: Schlegel, Jus

[ more ]  [ reply ]
FW: Fw: zotob 2005-08-16
jay.tomas (at) infosecguru (dot) com [email concealed] (jay tomas infosecguru com)
Just an observation ... by renaming admin accounts you'll thwart the simpliest of script kiddies.
Anyone with an 'ounce' of skill will enumerate your box and look at the sid of the user ids.

e.g.

Username SID
WishICouldFoolYou S-1-5-21-329067152-789339058-725245543-500

500 is yo

[ more ]  [ reply ]
wintbp.exe 2005-08-16
Schlegel, Justin (justin schlegel ICTGROUP COM) (6 replies)
Hi,

My company has recently been hit with some variety of virus that is
rebooting our machines. As far as I can tell the process causing the
problem is wintbp.exe. I have searched in google and all the major AV
vendors for this file with no luck. Does anyone have any information on
this process

[ more ]  [ reply ]
Re: wintbp.exe 2005-08-17
Anish Shaikh (anishshaikh gmail com)
Re: wintbp.exe 2005-08-16
Ero Carrera (ero carrera gmail com)
Re: wintbp.exe 2005-08-16
Jeff Pricher (JeffPricher yahoo com)
Re: wintbp.exe 2005-08-16
Nick FitzGerald (nick virus-l demon co uk)
Re: wintbp.exe 2005-08-17
William O'Malley (wo andrew cmu edu)
Re: wintbp.exe 2005-08-16
Jacob Bresciani (jacob bresciani ca)
RE: Virus Outbreak Attacking MS05-039 2005-08-16
Lawrence, Kenneth E ERDC-CHL-MS Contractor (Kenneth E Lawrence erdc usace army mil)
There appear to be patches available for everything from W2K up.
Look for KB899588.

Ken Lawrence <<mailto:lawrenk (at) wes.army (dot) mil [email concealed]>>
HNS Consultants
Unix System Administrator

-----Original Message-----
From: Eddie Willett [mailto:Eddie.Willett (at) richmond.ppdi (dot) com [email concealed]]
Sent: Monday, August 15, 2005 3:36 P

[ more ]  [ reply ]
(Page 15 of 62)  < Prev  10 11 12 13 14 15 16 17 18 19 20  Next >


 

Privacy Statement
Copyright 2010, SecurityFocus