Jump to content
Sign in to follow this  
cupez80

Intrusion.Win.NETAPI.buffer-overflow.exploit

Recommended Posts

Searching the web i found this:

1. Belonging to exploit this type of network attacks, and so they need to fight the patch system.

2. Common approach can also disable the firewall port 445 to prevent such attacks, and can check the event log for the hybrid threats, if (for example, includes other types of the virus) proposed a comprehensive scan.

3. Send to kaspersky

(the site i found it on was chinese, along with other sites, they more or less say the same thing) I would wait for a mod. before disabling firewall ports

 

What exactly is popping up?

Edited by Shinigami

Share this post


Link to post
Share on other sites
cupez80   
Searching the web i found this:

1. Belonging to exploit this type of network attacks, and so they need to fight the patch system.

2. Common approach can also disable the firewall port 445 to prevent such attacks, and can check the event log for the hybrid threats, if (for example, includes other types of the virus) proposed a comprehensive scan.

3. Send to kaspersky

(the site i found it on was chinese, along with other sites, they more or less say the same thing) I would wait for a mod. before disabling firewall ports

 

What exactly is popping up?

pop-up says Intrusion.Win.NETAPI.buffer-overflow.exploit from IP xxx.xxx.xxx.xxx port 445 has been blocked.

i know it safe cause Kaspersky has blocked the intrusion... but i just want to know which malware does this :D

is there any new worm spreading ?

Share this post


Link to post
Share on other sites
cupez80   
pop-up says Intrusion.Win.NETAPI.buffer-overflow.exploit from IP xxx.xxx.xxx.xxx port 445 has been blocked.

i know it safe cause Kaspersky has blocked the intrusion... but i just want to know which malware does this :D

is there any new worm spreading ?

maybe MS08-067 - Worm Exploiting unpatched systems in the Wild

did Kaspersky has detection on this malware ?

Win32/Conficker.A [Computer Associates], W32/Downadup.A [F-Secure], Conficker.A [Panda Software]

Edited by cupez80

Share this post


Link to post
Share on other sites
cupez80   
the problem also happened in my workstations

the malware known as Net-Worm.Win32.Kido.r

edit: del attachments from quote.

Edited by richbuff

Share this post


Link to post
Share on other sites

I have already install the Security Update for Windows XP (KB958644). But it seems to be recurred again. My Kaspersky's anti-hacker detected it again: 12/3/2008 11:42:03 AM Intrusion.Win.NETAPI.buffer-overflow.exploit 192.168.0.15 TCP 445

 

Is there any accurate solutions for this?

 

Share this post


Link to post
Share on other sites
RRP   

I have similar situation.

After My computer scan and I choose: dele: virus Net-Worm.Win32.Kido.ah File: C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\OY8GXR2T\bzqix[1].jpg

computer continue attack another computers.

How to disinfect completely?

Share this post


Link to post
Share on other sites
rod_rps   

I have 5 machines in my network with this same problem.

I have already install the Security Update for Windows XP (KB958644), and the problem persists.

I tried to search the origin of the attacks with the AV, other spywares and reg softwares, with no solution.

There is no documentation on the net to solve it.

I formatted one of the machines, and it stopped do attack the others.

Any one have any idea how to solve it ??

Share this post


Link to post
Share on other sites

Gimmiv.A exploits critical vulnerability (MS08-067)

 

Critical vulnerability in Server Service has only been patched by Microsoft (MS08-067), as a new worm called Gimmiv.A has found to be exploiting it in-the-wild.

 

Once executed, the worm will drop 3 files: winbase.dll, basesvc.dll and syicon.dll into the directory %System%\Wbem\basesvc.dll.

 

It will then install and start up a new service called BaseSvc with the display name "Windows NT Baseline". The service BaseSvc will force svchost.exe to load the DLL winbase.dll which is specified as a ServiceDll parameter for BaseSvc.

 

Once loaded, winbase.dll will load 2 additional DLLs into the address space of the system process services.exe: basesvc.dll and syicon.dll.

 

After dropping and loading the aforementioned DLLs, the worm will collect system information from the compromised computer, collect passwords from the Windows protected storage and Outlook Express passwords cache, and post collected details to a remote host. The details are posted in an encrypted form, by using AES (Rijndael) encryption.

 

The collected information seems to specify if the following AV products are found to be installed on the compromised system:

 

 

* BitDefender Antivirus

 

* Jiangmin Antivirus

 

* Kingsoft Internet Security

 

* Kaspersky Antivirus

 

* Microsoft's OneCare Protection

 

* Rising Antivirus

 

* Trend Micro

 

 

Details collected by Gimmiv.A are then posted to a personal profile of the user "perlbody", hosted with snipped hosting provider. At this time, the collected details are displayed at this link.

 

At the time of this writing, there are 3,695 entries in that file. Every line contains an encrypted string, which could potentially conceal current victims' details, indirectly indicating how many victims have been compromised by this worm so far.

 

The worm also fetches a few files from the following locations:

 

1) snipped

 

2) snipped

 

3) snipped

 

more info: Gimmiv.A exploits (MS08-067)

Edited by richbuff
links to locations that the worm fetches files from: snipped

Share this post


Link to post
Share on other sites

Please help me, how to solve the "Intrusion.Win.NETAPI.buffer-overflow.exploit" problem. I have already installed the MS Windows XP service pack 3. But the message is still poping-up.

 

Share this post


Link to post
Share on other sites
agsrian   
Please help me, how to solve the "Intrusion.Win.NETAPI.buffer-overflow.exploit" problem. I have already installed the MS Windows XP service pack 3. But the message is still poping-up.

 

Lately this attack comes from net-worm kido family. Kaspersky already warn its user about this widespread worm lately. See this link and follow how to handle this net worm.

 

http://www.viruslist.com/en/alerts?alertid=203996089

 

Hope helps..

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

×