I have been experiencing an attack that I suspect is related to this issue but does not completely fit the described profile. As I have not read anything with this behavior yet, I will describe it here and see if anyone has any thoughts.

First indicators of infection hit a Florida installation on Thursday PM (8/11 - EST). Users being as they are, this was reported indirectly to the IS dept Monday AM. Research indicates that an external system attached to DSL was infected at the same time. An additional system attached to DSL appears to have suffered infection late PM on Friday.

The most dominant indicator of a compromised system (under W2K) is that the user's desktop does not appear during the boot process. The task manager indicates that explorer.exe is running, it simply does nothing.

Running explorer.exe will display the desktop but the system will not perform correctly. The following functions are confirmed affected:

-Copy/Move files - Disabled

-Network Connections - No adaptors displayed on list

-"Program Files" directory - won't list files (can still get to the individual directories).

- User Settings - Can not access advanced properties.

- File Window Displays - only shows left 1/3 of window (sometimes with a scroll bar?).

- Search/Find is disabled

- Update.microsoft.com does not seem to display (not confirmed on all systems)

This is only what I've observed dealing with these systems for the last several hours, and do not represent a complete list of disabled functions.

These exact symptoms have duplicated on computers attached to 2 separate DSL systems (Atlanta, Orlando)in addition to several attached to a corporate network.

Infection occurs across the network (no user action involved). An attempt to reinstall W2K while attached to the network (predictably) resulted in infection at first boot (or net component installation?).

Is this the same RPC issue? Or is there a nastier variant in the wild that is not yet discussed? Or is this a separate known problem?

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/6689/21215#21215