Security Incidents mailing list archives
RE: WINS CLient Service
From: " wyldchilde" <wyldchilde () allofyourgodsaredead com>
Date: Fri, 12 Dec 2003 10:35:52 -0800
It's W32/Nachi or Welchia if you look at the Symantec site. It uses the RPC/DCOM exploit to infect the system. It's also supposed to remove msblast and automatically delete itself if the system date is 2004. The easiest way to remove it is download stinger from NAI or FixWelch.exe from Symantec. Cheers, Bryan Has anyone seen a virus/worm or misconfiguration load the WINS Client
Service on a Win2k Server? In all the servers I have built I
have never seen
this service, it basically had a dllhost.exe and svchost.exe
copy in the
c:\winnt\system32\wins directory, and svchost.exe was a renamed
copy of
tftp.exe, and dllhost.exe had a alternative stream of nc.exe in it. If anyone has run into this before let me know what solutions
you might have
found,
________________________________________________________________ Get your own evilemail.com address at http://www.evilemail.com --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- RE: WINS CLient Service Ziots, Edward (Dec 08)
- <Possible follow-ups>
- RE: WINS CLient Service Gilmore, Corey (DPC) (Dec 08)
- RE: WINS CLient Service Ziots, Edward (Dec 08)
- RE: WINS CLient Service wyldchilde (Dec 12)