[Full-Disclosure] win2kup2date.exe ?
Über GuidoZ
uberguidoz at gmail.com
Thu Sep 2 19:33:53 BST 2004
I believe someone else mentioned this site on this list (not sure),
but have you tried running it through www.VirusTotal.com? A nice place
for a quick 2nd opinion. If you want to email me a copy of it, I'll
rip it apart and see what can be seen.
P.S. Send it to guidoz at guidoz.com - it's my "catch all" for
virus/unknown files. Just be sure to ZIP it up or else the web host
won't let it through. Otherwise I have disabled all checks/scan.
Downloads directly to a secured Linux box.
--
Peace. ~G
On Thu, 2 Sep 2004 15:33:17 +0200 (CEST), bashis <mcw at wcd.se> wrote:
> Hi
>
> Anyone heard about a file called "win2kup2date.exe" ?
> (Google says nothing found..;)
>
> I did a controlled test with a XP Pro box w/o patches on Inet
> and this little thingy came on my testbox thrue some sort of RPC exploit,
> tftp'ed down this file from connecting machine, started with SYSTEM,
> and tries to connect up to IRC.
>
> McAfee Virusscan Enterprise v8.0i with latest DAT's didn't find
> any strange with this file..
>
> That was actually my test, v8.0 of McAfee virusscan have a future of
> "buffer overflow protection", it stopped the wellknown public RPC/DCOM
> exploit, but not the exploit that putted "win2kup2date.exe" on my testbox.
>
> Well, so mutch for the new "buffer overflow protection" future.. crap.. ;)
>
> Have a nice day
> /bashis
Full-Disclosure is hosted and sponsored by Secunia.