[Dshield] TCP Port 135 different scans, two worms or just a known scan and a worm??

Blake McNeill mcneillb at linklogger.com
Tue Aug 12 07:08:29 GMT 2003


Attached are samples of two common TCP port 135 scans we have seen thus far
which are different. Note the differences are:

from scan 1 - MD5 = B112ADDE25720C42E5B55B75CDD8EACA
03D0 46 00 58 00 46 00 58 00 46 00 58 00 9F 75 18 00 F.X.F.X.F.X..u..

and from scan 2 - MD5 = 288C8038AFD9B6CC56C3F5CAAFC46659
03D0 46 00 58 00 46 00 58 00 46 00 58 00 9D 13 00 01 F.X.F.X.F.X.....

Anyone want to comment on the differences? Is one the worm and one just a
xfocus/metasploit scan or are they both worms with a small difference?

Blake
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Scan1.txt
Url: http://www.dshield.org/pipermail/list/attachments/20030812/6ace8567/Scan1.txt
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Scan2.txt
Url: http://www.dshield.org/pipermail/list/attachments/20030812/6ace8567/Scan2.txt


More information about the list mailing list