[unisog] worm that looks for 139, 1433 and 2967

Scott Fendley scottf at uark.edu
Sat Feb 17 20:10:12 GMT 2007


Take your pick of any number of variants of spybot or similar botnet 
varieties.  They all have had new modules added in the past few 
months to look for the Symantec AV vulnerability, along with VNC, 
older vulnerabilities in windows, etc etc.

So I would recommend that you look at the out bound traffic tcp 
traffic for a known infected host that was scanning your 
network.  You should be able to look at the information and find some 
IP address which is acting as the C&C irc host.  Using that 
information you should be able to track down and block all of the 
hosts that have been compromised so far.





At 12:35 PM 2/17/2007, you wrote:
>I noticed a bunch of hosts on our campus were infected yesterday 
>with something
>which caused them to scan for 139,1433 and 2967. Anyone else see that?
>Anyone have any info?
>seems to me the previous round of malware that included 2967 also 
>looked for 5900
>so this could be somewhat different?
>_______________________________________________
>unisog mailing list
>unisog at lists.dshield.org
>https://lists.sans.org/mailman/listinfo/unisog



More information about the unisog mailing list