IPB

Welcome Guest ( Log In | Register )

 
Closed TopicStart new topic
> Intrusion.Win.NETAPI.buffer-overflow.exploit
cupez80
post 28.11.2008 10:58
Post #1


Advanced Member I
***

Group: Public Testers
Posts: 178
Joined: 17.06.2005
From: Surabaya - Indonesia




i got this Intrusion.Win.NETAPI.buffer-overflow.exploit what is this ?
Go to the top of the page
 
+Quote Post
Shinigami
post 28.11.2008 11:15
Post #2


Advanced Member V
*******

Group: Members
Posts: 1145
Joined: 28.03.2008
From: "tax free"




Searching the web i found this:
1. Belonging to exploit this type of network attacks, and so they need to fight the patch system.
2. Common approach can also disable the firewall port 445 to prevent such attacks, and can check the event log for the hybrid threats, if (for example, includes other types of the virus) proposed a comprehensive scan.
3. Send to kaspersky
(the site i found it on was chinese, along with other sites, they more or less say the same thing) I would wait for a mod. before disabling firewall ports

What exactly is popping up?

This post has been edited by Shinigami: 28.11.2008 11:22


--------------------
1. Windows 7 32-bit Ultimate (not in use). 2. Windows 7 64-bit, 500gb HD, 4gb ram, Nvidia GeForce GT 425M, i5-480M (in use)
FF: current; KIS/KAV and PURE Tester since Kaspersky 6 with real computer (always).
Currently Beta Testing: N/A Trying to get into graduate school
Current job:pm me for info
Go to the top of the page
 
+Quote Post
cupez80
post 29.11.2008 04:01
Post #3


Advanced Member I
***

Group: Public Testers
Posts: 178
Joined: 17.06.2005
From: Surabaya - Indonesia




QUOTE(Shinigami @ 28.11.2008 08:15) *
Searching the web i found this:
1. Belonging to exploit this type of network attacks, and so they need to fight the patch system.
2. Common approach can also disable the firewall port 445 to prevent such attacks, and can check the event log for the hybrid threats, if (for example, includes other types of the virus) proposed a comprehensive scan.
3. Send to kaspersky
(the site i found it on was chinese, along with other sites, they more or less say the same thing) I would wait for a mod. before disabling firewall ports

What exactly is popping up?

pop-up says Intrusion.Win.NETAPI.buffer-overflow.exploit from IP xxx.xxx.xxx.xxx port 445 has been blocked.
i know it safe cause Kaspersky has blocked the intrusion... but i just want to know which malware does this biggrin.gif
is there any new worm spreading ?
Go to the top of the page
 
+Quote Post
cupez80
post 29.11.2008 08:13
Post #4


Advanced Member I
***

Group: Public Testers
Posts: 178
Joined: 17.06.2005
From: Surabaya - Indonesia




QUOTE(cupez80 @ 29.11.2008 01:01) *
pop-up says Intrusion.Win.NETAPI.buffer-overflow.exploit from IP xxx.xxx.xxx.xxx port 445 has been blocked.
i know it safe cause Kaspersky has blocked the intrusion... but i just want to know which malware does this biggrin.gif
is there any new worm spreading ?

maybe MS08-067 - Worm Exploiting unpatched systems in the Wild
did Kaspersky has detection on this malware ?
Win32/Conficker.A [Computer Associates], W32/Downadup.A [F-Secure], Conficker.A [Panda Software]

This post has been edited by cupez80: 29.11.2008 08:27
Go to the top of the page
 
+Quote Post
Abrar Ahmed
post 2.12.2008 07:18
Post #5


Newbie
*

Group: Members
Posts: 1
Joined: 13.08.2008




I am also having this problem from yesterday. Is this a serious problem ? It is urgent for me, because I am using Kaspersky in Office.
Go to the top of the page
 
+Quote Post
knightm4r3
post 2.12.2008 09:23
Post #6


Advanced Member I
***

Group: Members
Posts: 67
Joined: 14.12.2007




This could occur due to the MS Vulnerability - MS08-067.
install this hot fix if you haven't already done so - http://www.microsoft.com/technet/security/...n/MS08-067.mspx

thanks,
Go to the top of the page
 
+Quote Post
jdime
post 2.12.2008 12:26
Post #7


Newbie
*

Group: Members
Posts: 5
Joined: 2.12.2008




the problem also happened in my workstations
Attached File  p2.jpg ( 95,84K ) Number of downloads: 248

Attached File  ah1.jpg ( 67,94K ) Number of downloads: 148
Go to the top of the page
 
+Quote Post
cupez80
post 2.12.2008 12:35
Post #8


Advanced Member I
***

Group: Public Testers
Posts: 178
Joined: 17.06.2005
From: Surabaya - Indonesia




QUOTE(jdime @ 2.12.2008 09:26) *
the problem also happened in my workstations

the malware known as Net-Worm.Win32.Kido.r

edit: del attachments from quote.


This post has been edited by richbuff: 8.03.2009 09:28
Go to the top of the page
 
+Quote Post
jdime
post 3.12.2008 04:01
Post #9


Newbie
*

Group: Members
Posts: 5
Joined: 2.12.2008




QUOTE(cupez80 @ 2.12.2008 17:35) *
the malware known as Net-Worm.Win32.Kido.r


is it very critical? it spreads very fast by attack nearby workstations
Go to the top of the page
 
+Quote Post
jdime
post 3.12.2008 06:48
Post #10


Newbie
*

Group: Members
Posts: 5
Joined: 2.12.2008




I have already install the Security Update for Windows XP (KB958644). But it seems to be recurred again. My Kaspersky's anti-hacker detected it again: 12/3/2008 11:42:03 AM Intrusion.Win.NETAPI.buffer-overflow.exploit 192.168.0.15 TCP 445

Is there any accurate solutions for this?
Go to the top of the page
 
+Quote Post
RRP
post 3.12.2008 18:26
Post #11


Newbie
*

Group: Members
Posts: 1
Joined: 3.12.2008




I have similar situation.
After My computer scan and I choose: dele: virus Net-Worm.Win32.Kido.ah File: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\OY8GXR2T\bzqix[1].jpg
computer continue attack another computers.
How to disinfect completely?
Go to the top of the page
 
+Quote Post
Rodrigo Silveira
post 3.12.2008 19:34
Post #12


Newbie
*

Group: Members
Posts: 1
Joined: 3.12.2008




I have 5 machines in my network with this same problem.
I have already install the Security Update for Windows XP (KB958644), and the problem persists.
I tried to search the origin of the attacks with the AV, other spywares and reg softwares, with no solution.
There is no documentation on the net to solve it.
I formatted one of the machines, and it stopped do attack the others.
Any one have any idea how to solve it ??
Go to the top of the page
 
+Quote Post
jdime
post 4.12.2008 04:26
Post #13


Newbie
*

Group: Members
Posts: 5
Joined: 2.12.2008




Gimmiv.A exploits critical vulnerability (MS08-067)

Critical vulnerability in Server Service has only been patched by Microsoft (MS08-067), as a new worm called Gimmiv.A has found to be exploiting it in-the-wild.

Once executed, the worm will drop 3 files: winbase.dll, basesvc.dll and syicon.dll into the directory %System%\Wbem\basesvc.dll.

It will then install and start up a new service called BaseSvc with the display name "Windows NT Baseline". The service BaseSvc will force svchost.exe to load the DLL winbase.dll which is specified as a ServiceDll parameter for BaseSvc.

Once loaded, winbase.dll will load 2 additional DLLs into the address space of the system process services.exe: basesvc.dll and syicon.dll.

After dropping and loading the aforementioned DLLs, the worm will collect system information from the compromised computer, collect passwords from the Windows protected storage and Outlook Express passwords cache, and post collected details to a remote host. The details are posted in an encrypted form, by using AES (Rijndael) encryption.

The collected information seems to specify if the following AV products are found to be installed on the compromised system:


* BitDefender Antivirus

* Jiangmin Antivirus

* Kingsoft Internet Security

* Kaspersky Antivirus

* Microsoft's OneCare Protection

* Rising Antivirus

* Trend Micro


Details collected by Gimmiv.A are then posted to a personal profile of the user "perlbody", hosted with snipped hosting provider. At this time, the collected details are displayed at this link.

At the time of this writing, there are 3,695 entries in that file. Every line contains an encrypted string, which could potentially conceal current victims' details, indirectly indicating how many victims have been compromised by this worm so far.

The worm also fetches a few files from the following locations:

1) snipped

2) snipped

3) snipped

more info: Gimmiv.A exploits (MS08-067)

This post has been edited by richbuff: 4.12.2008 04:43
Reason for edit: links to locations that the worm fetches files from: snipped
Go to the top of the page
 
+Quote Post
aev_rico123
post 8.03.2009 09:14
Post #14


Newbie
*

Group: Members
Posts: 1
Joined: 8.03.2009




Please help me, how to solve the "Intrusion.Win.NETAPI.buffer-overflow.exploit" problem. I have already installed the MS Windows XP service pack 3. But the message is still poping-up.
Go to the top of the page
 
+Quote Post
agsrian
post 8.03.2009 19:21
Post #15


Member
**

Group: Members
Posts: 24
Joined: 2.01.2006
From: Surabaya Indonesia




QUOTE(aev_rico123 @ 8.03.2009 13:14) *
Please help me, how to solve the "Intrusion.Win.NETAPI.buffer-overflow.exploit" problem. I have already installed the MS Windows XP service pack 3. But the message is still poping-up.


Lately this attack comes from net-worm kido family. Kaspersky already warn its user about this widespread worm lately. See this link and follow how to handle this net worm.

http://www.viruslist.com/en/alerts?alertid=203996089

Hope helps..
Go to the top of the page
 
+Quote Post

Closed TopicStart new topic

 



Lo-Fi Version Time is now: 28.11.2014 00:48