[unisog] Unusual volume: UDP:137 probes

Bob Johnson bob at eng.ufl.edu
Mon Oct 7 13:20:58 GMT 2002


Rich Graves wrote:
> 
> Has anyone here isolated the worm?
> 
> Might it be this?
> 
>  http://www.sarc.com/avcenter/venc/data/w32.opaserv.worm.html
> 

This seems to be the primary cause of the huge number of port 137 
probes we've been seeing.  I saw a report this morning that it tries 
to open Windows shares with a null password and with one letter 
passwords.  That suggests that it is exploiting this ancient hole:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms00-072.asp

Anyone with an unpatched Win95, Win98, or WinME system on the Internet 
is probably infected by now.  This would tend to explain why the majority 
of infected systems seem to be in "lesser developed" countries: they are 
more likely to use  the older operating systems (well, last time I looked 
that was the case -- I haven't looked at where the probes are coming 
from for several days now).

- Bob

-- 

*********************************************************
  Bob Johnson            Senior Systems Programmer
  bob at eng.ufl.edu        College of Engineering
                         501 Weil Hall
  352-392-9217 Office    University of Florida
  352-392-7063 Fax       Gainesville, FL  32611
*********************************************************
  "Security is not a product, it's a mentality."           .         .



More information about the unisog mailing list