COMMAND

    tmlisten.exe

SYSTEMS AFFECTED

    TrendMicro OfficeScan

PROBLEM

    Jeff Stevens found following.   While playing around with nmap  he
    managed  to  pull  down  a  bunch  of  our NT workstations running
    OfficeScan.   This could  potentially be  used as  a DoS attack to
    bring  down  any  NT  machine  running  OfficeScan.   he  used the
    following command where machine.domain.com is a Windows NT machine
    running either SP 4 or 5 or a Win2k RC3 box.

        nmap -sT -O -p 12345 machine.domain.com

    One of three things can happen:

        (1) Nothing -- rare but it does happen.
        (2) The machine slows to a halt as tmlisten.exe pulls 100% CPU.
        (3) Visual C++ error as tmlisten.exe crashes.

    OfficeScan 3.5, scan engine 5.100 and pattern file 663 are running
    on the target machine.  You can also make the process dump with  a
    Visual  C++  error  if  you  send  a  bunch  of  data  via telnet.
    Tmlisten.exe  does  crash  usually  when  the telnet connection is
    closed, not when you send the data.

SOLUTION

    Patch availability:

        http://www.antivirus.com/download/ofce_patch.htm