Interesting Occurrence

brent_okeeffe · June 21, 2004, 5:44pm

Okay… Here is a new one for me. Got a call from my dad saying he left his PC on last night connected to his broadband. He went to log in this morning and noticed a new ID in his user list - IWAP_WWW. He immediately deleted is and called me. I had him ensure his critical updates we all applied - they were. I had him ensure his antivirus was up to date - it was (Norton Antivirus 2004). He is running XP Home.

I searched the antivirus sites and elsewhere for references. Any idea if there is a new vulnerability that has not been publicly released? Any clues?

Regards,
Brent

Jeff_Shultz2 · June 21, 2004, 5:55pm

** Reply to message from Brent_OKeeffe@asc.aon.com on Mon, 21 Jun 2004
12:44:50 -0500

Okay... Here is a new one for me. Got a call from my dad saying he left
his PC on last night connected to his broadband. He went to log in this
morning and noticed a new ID in his user list - IWAP_WWW. He immediately
deleted is and called me. I had him ensure his critical updates we all
applied - they were. I had him ensure his antivirus was up to date - it
was (Norton Antivirus 2004). He is running XP Home.

I searched the antivirus sites and elsewhere for references. Any idea if
there is a new vulnerability that has not been publicly released? Any
clues?

Regards,
Brent

Out of curiosity, was he running any sort of (including the XP one) of
firewall software?

Luke_Starrett · June 21, 2004, 5:55pm

That almost looks like one of the dummy user accounts that gets added as part of IIS. I see a couple of these on one win2k server that I maintain:

“IWAM_” (Launch IIS Process Account)

“IUSER_” (Internet Guest Account)

Luke

Richard_A_Steenbegen · June 21, 2004, 5:58pm

Dare I ask, what part of "North American Network Operators Group" made you
think that this could POSSIBLY be on-topic or of interest to anyone here?

Bandy_Rush1 · June 21, 2004, 6:06pm

you sent html as opposed to an email message. as i do not use a web browser
to read mail, i can not read your message. if you want me to read your
email, send email.

randy

John_Kinsella · June 21, 2004, 6:06pm

Try Securityfocus' Incidents list.

Christian_Malo · June 21, 2004, 6:08pm

I'm sure Susan will make sure to revoke his posting rights.

-chris

Mike_Tancsa · June 21, 2004, 6:17pm

Not the best place to ask (full-discloure or the incidents list perhaps), but there are numerous phishing scams going of late (I get 3 or 4 a day) that exploit an unpatched IE bug....

e.g. the spam reads

You Have a VoiceMessage Waiting Priority :Urgent From:xxx xxx http://www.ONEvoicemailbox.net/voicemail/

(replace ONE with "1" in the host)-- I strongly suggest NOT going to this site with IE

This particular site crams in a keylogger into your PC by use of
http://221.4.203.78/bestadult/shellscript_loader.js
http://221.4.203.78/bestadult/shellscript.js

---Mike