[unisog] Unusual volume: UDP:137 probes

Mike Iglesias iglesias at draco.acs.uci.edu
Tue Oct 1 04:35:03 GMT 2002

> Has anyone here isolated the worm?
> Might it be this?
>  http://www.sarc.com/avcenter/venc/data/w32.opaserv.worm.html
> Anyone have an IP address for www.opasoft.com? That might be another way to
> trace back with argus/netflow/etc.

Symantec is calling it the W32.Opaserv.worm, McAfee has something
similar called W32/Scrup.worm.

>From what I can tell from our Argus logs, it looks like this scanner
finds a likely candidate from the port 137 scans and then attempts to
connect to the system using port 139, probably via open drive C
shares.  Some amount of data is transfered (the scanner itself?), and
then the target system contacts a web server (two I've seen so far are and  Shortly thereafter, the system
starts scanning starting at some IP address.  It appears to start at a
random host number (the last octet is not .1) and goes up to .255.
Sometimes when it hits .255, it tries to contact the web site again.

Looks like it's going to be a fun week.

Mike Iglesias                          Internet:    iglesias at draco.acs.uci.edu
University of California, Irvine       phone:       949-824-6926
Network & Academic Computing Services  FAX:         949-824-2069

More information about the unisog mailing list