Anyone know if this is real? boep-blackd

Discussion in 'other anti-malware software' started by Trekk, Sep 1, 2005.

Thread Status:
Not open for further replies.
  1. Trekk

    Trekk Registered Member

    Aug 16, 2005
    We are testing a software called ISS Proventia and it seems to have discovered a Buffer Overflow Exploit virus on a network currently being scanned by McAfee Enterprise. Can I have some input if this looks legitimate, or if its a bug in the software causing false possitives.

    2000003 : Teardrop IP fragmentation

    A "TearDrop" attack consists of an attacker sending a series of fragmented IP datagram pairs to the target system (how many pairs depends on the operating system; Windows NT can take up to 50, while Linux can be crashed with one pair). The first fragment is sent with an offset of 0 (telling the IP that it is the first fragment in the list) and a payload of size N. Subsequent fragments are sent with an offset that tells the IP that it should overlap inside the previous fragment. However, the fragment's payload is either non-existent, or very small (1 or 2 bytes). Affected systems either crash or restart.

    Other variations of this attack are known as "NewTear," "Nestea," "SynDrop," and "Bonk," among others.

    Process ID 976
    SystemCall NTcreatefile
    Blocked YES
    Killed NO
    C:\ISS\Proventia Desktop\blackd.exe
    User SYSTEM
    SecChkID 16199
    Alert Name BOEP-blackd
    Return Addr 01980e88

    Any ideas?


  2. Graphic Equaliser

    Graphic Equaliser Registered Member

    Nov 5, 2004
    London England UK
    Try looking for what started it. The PID is 976, and this can be viewed in the Processes List under Task Manager in Windows XP. This will give you an idea as to whether it is a real process, or some injection of code into a running process.
Thread Status:
Not open for further replies.