Home page logo

basics logo Security Basics mailing list archives

Re: worm that crashes win explorer upon search
From: Douglas Duckworth <stlpcsecurity () gmail com>
Date: Wed, 17 Aug 2005 08:34:53 -0500

Sorry, sent it to wrong address..

On 8/17/05, Douglas Duckworth <stlpcsecurity () gmail com> wrote:
DEP only works on certian processors.

"Data Execution Prevention (DEP) is a set of hardware and software
technologies that perform additional checks on memory to help prevent
malicious code from running on a system. In Microsoft Windows XP
Service Pack 2 (SP2) and Microsoft Windows XP Tablet PC Edition 2005,
DEP is enforced by hardware and by software.

The primary benefit of DEP is to help prevent code execution from data
pages. Typically, code is not executed from the default heap and the
stack. Hardware-enforced DEP detects code that is running from these
locations and raises an exception when execution occurs.
Software-enforced DEP can help prevent malicious code from taking
advantage of exception-handling mechanisms in Windows."

You could try blocking ports with IPSec:

Also, you could try installing ethereal, which will give a better idea
how it is spreading.  I would not recommend that you use it in an
infected pc, however, use it on a firewalled computer which is up to
date with patches.

And the windows firewall may help for computers that are not currently
infected, however, it will not block outgoing traffic.


On 8/16/05, Luis Osorio <luis.osorio () parfois com> wrote:

Try to check DEP (Data Execution Prevention). This could happen if explorer is trying to launch the search program.


Luis Osório
Parfois - IT Department
Barata & Ramilo, S.A.
Rua de Sistelo
Lugar de Santegãos
4435-429 Rio Tinto

-----Original Message-----
From: Leon [mailto:roastin () yahoo com]
Sent: segunda-feira, 1 de Agosto de 2005 21:20
To: security-basics () securityfocus com
Subject: worm that crashes win explorer upon search


I have a client who suspects that they may have a worm running around there network that is infecting machines 
through open shares or some other means of propogation.  The symptom is that when people open up windows exploer 
and try to search the explorer.exe process dies.

I installed the microsoft spyware application and they are using up-to-date virus definitions with their scanner.  
I also went through netstat looking for strange open port and saw nothing.  The event log also has nothing out of 
the ordinary in it

What is the best way to troubleshoot something like this?  I can get the dump file from dr watson but I am unsure 
where to go from there.

Suggestions appreciated.



Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]