|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Michael B. Morell (MMorell
vdat.com)Date: Wed Jul 03 2002 - 11:30:12 CDT
A quick ps of the running apps showed....
HWND PID PRIO UTime KTime NAME
4f0146 1256 NORM 00:00:00 00:00:00
C:\WINNT\System32\cmd.exe - ps
3007e 1104 NORM 00:00:00 00:00:02 Power Meter
40092 1104 NORM 00:00:00 00:00:02 Connections Tray
4009a 1104 NORM 00:00:00 00:00:02 MS_WebcheckMonitor
300ac 1104 NORM 00:00:00 00:00:02 Address
5003a 1104 NORM 00:00:00 00:00:02 DDE Server Window
5c010a 1676 NORM 00:00:12 00:00:28 Registry Editor
3008a 1104 NORM 00:00:00 00:00:02 Program Manager
When I kill (linux kill) pid 1104 the desktop (aka explorer.exe) shuts down
and reloads. A little different behaviour then if I kill
it thru tsk mgr.
Everything is linked to the desktop, or else it would have a HWND of 0.
BTW- when I said shell= i meant shell=explorer.exe / address
I was trying to look for anything that was using explorer.exe as it's shell
in the registry.
A constant theme thru this though is that it corresponds somehow to
explorer.exe. If I kill explorer, the address app is killed also.
If I bring explorer.exe back, so does the address app.
I yield to the fact that the name address is probably a pseudo name for the
real
mccoy. The question is what?
explorere.exe has not been replaced. If it was then this would all make
sense and would be easy.
After I kill explorer.exe thru tsk mgr, then this is the results.
HWND PID PRIO UTime KTime NAME
3700e8 1692 HIGH 00:00:00 00:00:00 Windows Task Manager
4f0146 1256 NORM 00:00:00 00:00:00
C:\WINNT\System32\cmd.exe - ps
5c010a 1676 NORM 00:00:12 00:00:28 Registry Editor
Notice everything associated with the overall PID 1104 was removed.
I'm not versed on what MS_WebcheckMonitor is and neither was M$ KB, sec
focus, or google. I was only able to find
vague references to it. So if anyone has knoweldge of what it is, that
would be great also. I have a feeling that the 2 might
be linked.
-----Original Message-----
From: Michael B. Morell [mailto:MMorellvdat.com]
Sent: Wednesday, July 03, 2002 10:15 AM
To: 'Sergey Latkin'
Cc: incidentssecurityfocus.com
Subject: RE: Anyone seen this before?
Thx.... But there is no folder located on that system named 'address', I
know where you are going with this but it's not the correct path.
The icon is a generic program icon.
HC asked - What do you mean by "linked"? What does this mean,
and what did you do (or what tool did you use) to
verify or discover this?
The answer to this is, in task manager, you can right click on any app
running in the applications window, and choose "go to process".
The process that I was brought to was explorer.exe.
If i kill explorer.exe (which get's rid of my desktop as expected) the
address app is also killed. If I start explorer.exe up again, the app
reappears.
I was unable to find any shell= reference in the registry. No programs that
even remotely resemble what I am seeing exist on this machine.
This machine is generally locked down both physically and electronically.
You just can't walk up to the machine and log in. So where ever it came
from was not installed interactively and is hidden somewhere.
-----Original Message-----
From: Sergey Latkin [mailto:slatkinphg.com]
Sent: Tuesday, July 02, 2002 7:15 PM
To: Michael B. Morell
Cc: incidentssecurityfocus.com
Subject: Re: Anyone seen this before?
Michael
If you open folder named 'address' in explorer, the task mgr will show
exactly what you described. BTW, what icon was shown next to the app?
Sergey
On 2 July 2002 18:04, Michael B. Morell wrote:
> I found a odd application running on a 2k server box that I have not seen
> before, or is at least not
> obvious to me.
>
> In task mgr, The application 'address' (w/o quotes) is running and is
> linked to the explorer.exe proc.
>
> <!--begin the obvious-->
[snip the obvious :]]
> <!--end the obvious-->
>
> If anyone has seen this before please let me know. A search on google did
> not provide
> any solid leads. I did follow thru on checking for known code
> red/nimda/things that were
> close but not really leads.
>
> I appreciate any insight from the list.
>
> Oh, and please don't bother to tell me to blow away the OS and start from
> scratch.
> While I appreciate the suggestion, i'm looking for leads, not the obvious.
>
> Thanks,
>
> Mike
>
> --------------------------------------------------------
> \Your mission is to destroy users will to use bandwidth/
> --------------------------------------------------------
>
>
---------------------------------------------------------------------------
>- This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
-- Sergey Latkin Chief Technology Officer Pinnacle Health Group 1-(800)-492-7771 slatkin---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]