[Dshield] TCP Port 135 different scans, two worms or just a known scan and a worm??

Johannes Ullrich jullrich at euclidian.com
Tue Aug 12 11:02:23 GMT 2003


The difference is the return address used. The exploit uses either the
universal XP ( 0x0100139D second sample ) or the Win2K (0x0018759F,
first sample) return address.



On Tue, 2003-08-12 at 03:08, Blake McNeill wrote:
> Attached are samples of two common TCP port 135 scans we have seen thus far
> which are different. Note the differences are:
> 
> from scan 1 - MD5 = B112ADDE25720C42E5B55B75CDD8EACA
> 03D0 46 00 58 00 46 00 58 00 46 00 58 00 9F 75 18 00 F.X.F.X.F.X..u..
> 
> and from scan 2 - MD5 = 288C8038AFD9B6CC56C3F5CAAFC46659
> 03D0 46 00 58 00 46 00 58 00 46 00 58 00 9D 13 00 01 F.X.F.X.F.X.....
> 
> Anyone want to comment on the differences? Is one the worm and one just a
> xfocus/metasploit scan or are they both worms with a small difference?
> 
> Blake
> 
> ______________________________________________________________________
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
-- 
--------------------------------------------------------------
Johannes Ullrich                     jullrich at euclidian.com
pgp key: http://johannes.homepc.org/PGPKEYS
--------------------------------------------------------------
   "We regret to inform you that we do not enable any of the 
    security functions within the routers that we install."
         support at covad.net
--------------------------------------------------------------





More information about the list mailing list