[Dshield] TCP Port 135 different scans, two worms or just a known scan and a worm??

Blake McNeill mcneillb at linklogger.com
Tue Aug 12 10:12:51 GMT 2003


There are two very similar worms, but with a very small difference.

>From watching the scans and follow-up traffic over TCP port 4444 we know
that both of these are attack scan signatures as both version attempted
transfer of the msblast.exe over tftp via commands issued over TCP port
4444.  So the question remains what is the difference between these scans?
I suspect perhaps the interface being attacked is different or something.

Note we have also found a way to directly notify owners of infected systems
using our PortPeeker v2 beta so we will see if that helps clean up this mess
faster.

Blake

http://www.SonicLogger.com - Logging Software for SonicWall and 3Com
http://www.LinkLogger.com - Logging Software for Linksys, Netgear and Zyxel


----- Original Message ----- 
From: "Blake McNeill" <mcneillb at linklogger.com>
To: "General DShield Discussion List" <list at dshield.org>
Sent: Tuesday, August 12, 2003 1:08 AM
Subject: [Dshield] TCP Port 135 different scans, two worms or just a known
scan and a worm??


> Attached are samples of two common TCP port 135 scans we have seen thus
far
> which are different. Note the differences are:
>
> from scan 1 - MD5 = B112ADDE25720C42E5B55B75CDD8EACA
> 03D0 46 00 58 00 46 00 58 00 46 00 58 00 9F 75 18 00 F.X.F.X.F.X..u..
>
> and from scan 2 - MD5 = 288C8038AFD9B6CC56C3F5CAAFC46659
> 03D0 46 00 58 00 46 00 58 00 46 00 58 00 9D 13 00 01 F.X.F.X.F.X.....
>
> Anyone want to comment on the differences? Is one the worm and one just a
> xfocus/metasploit scan or are they both worms with a small difference?
>
> Blake
>


----------------------------------------------------------------------------
----


> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
>




More information about the list mailing list