From: Gilmore, Corey (DPC) (Corey_Gilmoredpc.senate.gov)
Date: Mon Dec 08 2003 - 13:41:39 CST

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

If you're asking about the files in %system%\wins, they're installed by
Welchia/Nachia. You'll find them on any infected PC, workstation or
server.

http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm
.html#technicaldetails

You can remove them with the removal tool,
http://www.symantec.com/avcenter/FixWelch.exe

> -----Original Message-----
> From: Ziots, Edward [mailto:EZiotsLifespan.org]
> Sent: Monday, December 08, 2003 9:17 AM
> To: 'incidentssecurityfocus.com'
> Subject: RE: WINS CLient Service
>
> Has anyone seen a virus/worm or misconfiguration load the WINS Client
> > Service on a Win2k Server? In all the servers I have built I have
> > never
> seen
> > this service, it basically had a dllhost.exe and
> svchost.exe copy in
> > the c:\winnt\system32\wins directory, and svchost.exe was a renamed
> > copy of tftp.exe, and dllhost.exe had a alternative stream
> of nc.exe in it.
> >
> > If anyone has run into this before let me know what solutions you
> > might
> have
> > found,
> >
> >
> > Edward Ziots
> > Windows NT/Citrix Administrator
> > Lifespan Network Services
> > MCSE,MCSA,MCP+I,M.E,CCA,Security +, Network + eziotslifespan.org
> > Cell:401-639-3505
> > Pager:401-350-5284
>
> Edward Ziots
> Windows NT/Citrix Administrator
> Lifespan Network Services
> MCSE,MCSA,MCP+I,M.E,CCA,Security +, Network + eziotslifespan.org
> Cell:401-639-3505
> Pager:401-350-5284
>
> **********************
> Confidentiality Notice
> **********************
> The information transmitted in this e-mail is intended only
> for the person or entity to which it is addressed and may
> contain confidential and/or privileged information. Any
> review, retransmission, dissemination or other use of or
> taking of any action in reliance upon this information by
> persons or entities other than the intended recipient is prohibited.
> If you received this e-mail in error, please contact the
> sender and delete the e-mail and any attached material
> immediately. Thank you.
>
>
>
>
>
> -----Original Message-----
> From: David Ahmad [mailto:dasecurityfocus.com]
> Sent: Friday, December 05, 2003 5:05 PM
> To: Ziots, Edward
> Subject: Re: WINS CLient Service
>
>
>
> Please post this to the INCIDENTS mailing list
> <incidentssecurityfocus.com>.
>
> On Fri, Dec 05, 2003 at 05:19:59PM -0500, Ziots, Edward wrote:
> > Has anyone seen a virus/worm or misconfiguration load the
> WINS Client
> > Service on a Win2k Server? In all the servers I have built I have
> > never
> seen
> > this service, it basically had a dllhost.exe and
> svchost.exe copy in
> > the c:\winnt\system32\wins directory, and svchost.exe was a renamed
> > copy of tftp.exe, and dllhost.exe had a alternative stream
> of nc.exe in it.
> >
> > If anyone has run into this before let me know what solutions you
> > might
> have
> > found,
> >
> >
> > Edward Ziots
> > Windows NT/Citrix Administrator
> > Lifespan Network Services
> > MCSE,MCSA,MCP+I,M.E,CCA,Security +, Network + eziotslifespan.org
> > Cell:401-639-3505
> > Pager:401-350-5284
> >
> > **********************
> > Confidentiality Notice
> > **********************
> > The information transmitted in this e-mail is intended only for the
> > person or entity to which it is addressed and may contain
> confidential
> > and/or privileged information. Any review, retransmission,
> > dissemination or other use of or taking of any action in
> reliance upon
> > this information by
> persons
> > or entities other than the intended recipient is prohibited.
> > If you received this e-mail in error, please contact the sender and
> > delete the e-mail and any attached material immediately. Thank you.
> >
> >
> >
> >
> >
> > -----Original Message-----
> > From: Greg Meehan [mailto:GMeehanLifeTimeFitness.com]
> > Sent: Friday, December 05, 2003 3:05 PM
> > To: 3APA3A; Mr. P.Taylor
> > Cc: aleph1securityfocus.com; bugtraqsecurityfocus.com
> > Subject: RE: Websense Blocked Sites XSS
> >
> >
> >
> > FYI: You can use a customized block page in /custom that does not
> > display the URL, such as creating a "Sorry, This URL is
> Blocked" page
> > with your company's logo. Heck, you can also just edit the
> > "master.html" block page
> in
> > the /default dir to remove the URL displayed field.
> >
> > -Greg
> >
> > -----Original Message-----
> > From: 3APA3A [mailto:3APA3ASECURITY.NNOV.RU]
> > Sent: Friday, December 05, 2003 7:09 AM
> > To: Mr. P.Taylor
> > Cc: aleph1securityfocus.com; bugtraqsecurityfocus.com
> > Subject: Re: Websense Blocked Sites XSS
> >
> >
> > Dear Mr. P.Taylor,
> >
> > It runs error message in context of blocked site. Now lets try to
> > find out possible impacts:
> >
> > 1. It's possible to run javascript on the user host
> in context
> > of blocked site. But it's most likely blocked site is not in
> > list of trusted web sites on user's host, so it's
> impossible to get
> > something different from running same script on another webpage.
> >
> > 2. It possible to steal cookie, submit some forms, etc, on
> blocked site.
> > But site is blocked. So, it's impossible to steal something or
> > submit something to this site.
> >
> > Conclusion: there is no security impact
> >
> > Post Conclusion: Guys, it's perfect you can find all these XSS/CSS
> > bugs in John Doe's guest books, Read-Doc-from-CDRom
> servers, etc. But
> > please think about _security_ impact before submitting
> this to
> > _security_ related lists.
> >
> > --Wednesday, December 3, 2003, 7:35:39 PM, you wrote to
> > dhubbardwebsense.com:
> >
> >
> > MPT> Websense Blocked Sites XSS
> >
> > MPT> Risk: High
> >
> > MPT> Product: Websense Enterprise v4.3.0 - v5.1 (Maybe
> others we only
> > MPT> tested this version)
> >
> > MPT> Product URL: http://www.websense.com
> >
> > MPT> Found By: PeterT - petertimagine-sw.com
> >
> > MPT> Problem:
> > MPT> When Websense blocks a web site, it returns a web page to the
> > MPT> browser stating that the site has been blocked. This error
> > MPT> message contains the URL
> > which
> > MPT> was
> > MPT> requested. Websense does not do any validation or
> encoding of the
> > MPT> URL
> > before
> > MPT> returning it in the error message. This allows an attacker to
> > MPT> supply
> a
> > URL
> > MPT> that
> > MPT> contains script <JavaScript, ActiveX, VB). This script
> will run
> > MPT> in
> the
> > MPT> context
> > MPT> of a server in the trusted domain and combined with other IE
> > MPT> flaws
> can
> > have
> > MPT> serious consequences.
> >
> > MPT> We have marked this as a High risk because we believe that
> > MPT> allowing attackers to run arbitrary programs on your
> desktop at
> > MPT> will, is a serious
> > problem.
> >
> >
> > MPT> Proof of Concept:
> > MPT> A URL like
> > MPT> http://BlockedSite?<SCRIPT>alert('hello')</SCRIPT>
> will run script.
> >
> > MPT> Resolution:
> > MPT> The vendor has come out with a patch. Notified on Nov 29, 2003.
> >
> > MPT> Thanks to Websense for fixing this issue.
> >
> > MPT> Disclaimer:
> > MPT> Standard disclaimer applies. The opinions expressed in this
> > MPT> advisory
> > are
> > MPT> our own and not of any company. The information within this
> > MPT> advisory
> > may
> > MPT> change without notice. Use of this information constitutes
> > MPT> acceptance
> > for
> > MPT> use in an AS IS condition. There are no warranties
> with regard to
> this
> > MPT> information. In no event shall the author be liable for any
> > MPT> damages whatsoever arising out of or in connection
> with the use
> > MPT> or spread of
> > this
> > MPT> information. Any use of this information is at the
> user's own risk.
> >
> >
> >
> > --
> > ~/ZARAZA
> > ??? ????? ???? ?????, ? ???????? ??? ???? ??? ????, ?????
> ?? ?????? ? ?
> ???
> > ????????. (????)
>
> --
> David Mirza Ahmad
> Symantec
>
> PGP: 0x26005712
> 8D 9A B1 33 82 3D B3 D0 40 EB AB F0 1E 67 C6 1A 26 00 57 12
> --
> The battle for the past is for the future.
> We must be the winners of the memory war.
>
> --------------------------------------------------------------
> -------------
> --------------------------------------------------------------
> --------------
>
>
>

---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]