Security Incidents mailing list archives

RE: WINS CLient Service

From: " wyldchilde" <wyldchilde () allofyourgodsaredead com>
Date: Fri, 12 Dec 2003 10:35:52 -0800





It's W32/Nachi or Welchia if you look at the Symantec site.  It
uses the RPC/DCOM exploit to infect the system.  It's also
supposed to remove msblast and automatically delete itself if the
system date is 2004.  The easiest way to remove it is download
stinger from NAI or FixWelch.exe from Symantec.

Cheers,

Bryan

Has anyone seen a virus/worm or misconfiguration load the WINS Client

Service on a Win2k Server? In all the servers I have built I

have never
seen

this service, it basically had a dllhost.exe and svchost.exe

copy in the

c:\winnt\system32\wins directory, and svchost.exe was a renamed

copy of

tftp.exe, and dllhost.exe had a alternative stream of nc.exe in it.

If anyone has run into this before let me know what solutions

you might
have

found,


________________________________________________________________
Get your own evilemail.com address at http://www.evilemail.com


 
                   

---------------------------------------------------------------------------
----------------------------------------------------------------------------

Current thread:

RE: WINS CLient Service Ziots, Edward (Dec 08)
- <Possible follow-ups>
- RE: WINS CLient Service Gilmore, Corey (DPC) (Dec 08)
- RE: WINS CLient Service Ziots, Edward (Dec 08)
- RE: WINS CLient Service wyldchilde (Dec 12)