[Dshield] port scans

Doug doug at dwhite.ws
Fri Oct 4 14:56:47 GMT 2002

Port 137 scans are hitting us at the rate of about a hundred per hour.  here is a description.

Its a windows Virus/Worm...it has already broken the Klez Record's, MS
should have already released the patches.  Not sure if zonealram can stop
it because it's designed to kill all Desktop firewall's and some av
programs.  More than likely the scan's are all the script kiddies looking
for the back door.

---sarc snipet---

NOTE: Due to an increased rate of submissions, Symantec Security Response
has upgraded this threat from a Category 3 to a Category 4 as of October 2,

W32.Bugbear at mm is a mass-mailing worm. It can also spread through network
shares. It has keystroke-logging and backdoor capabilities. The worm also
attempts to terminate the processes of various antivirus and firewall

Because the worm does not properly handle the network resource types, it may
flood shared printer resources, which causes them to print garbage or
disrupt their normal functionality.

It is written in the Microsoft Visual C++ 6 programming language and is
compressed with UPX v0.76.1-1.22.

Also Known As: W32/Bugbear-A [Sophos], WORM_BUGBEAR.A [Trend], Win32.Bugbear
[CA], W32/Bugbear at MM [McAfee], I-Worm.Tanatos [AVP], W32/Bugbear [Panda],
Tanatos [F-Secure]
Type: Worm
Infection Length: 50,688 bytes
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows
XP, Windows Me
Systems Not Affected: Macintosh, Unix, Linux
CVE References: CVE-2001-0154
---end sarc snipet---

This address is filtered through the open relay database at http://www.ordb.org
and is virus scanned by ANTIVIR
mailto:doug at dwhite.ws
----- Original Message -----
From: "Stigers, David" <dstigers at KACO.org>
To: <list at dshield.org>
Sent: Friday, October 04, 2002 8:10 AM
Subject: [Dshield] port scans

| Here we are seeing scans on port 57 occasionally. Along with this is an
| increased amount of scans on 137 and 110. Anyone else seeing this?
|  "Patience and perseverance have a magical effect before
|     which difficulties disappear and obstacles vanish."
|           - John Quincy Adams
| ________________________________________
| David E. Stigers
| Network Administrator
| KY Association of Counties
| 380 Kings Daughters Drive
| Frankfort, KY 40601
| Work: 502.223.7667
| Fax: 502.223.1502
| http://www.kaco.org
| ________________________________________
| _______________________________________________
| Dshield mailing list
| Dshield at dshield.org
| To change your subscription options (or unsubscribe), see:

More information about the list mailing list