[unisog] New worm?

Brian Eckman eckman at umn.edu
Mon Dec 1 16:04:12 GMT 2003

Edward Zawacki wrote:
> We are seeing a new worm (new to us at least ;).
> It is scanning random IP addresses on ports 135 and 445. It has
> scanned on sequential addresses 4 times though (unless that was
> a separate beast).
> Once a machine is infected, several random ports are opened
> and at least one of them appears to be attempting to send
> an executable.
> On the few we scanned, port 1019 answers with:
> 220 an Cr3w Site^M^M
> 221 l8r...
> The one machine that we looked at had a registry
> entry in HKLM../RunServices for "Windows Updater"
> with a value of "svthost.exe".
> Norton run on the machine picked up Welchia and
> quarantined two files. Welchia never scanned on
> port 445 though...
> Any ideas as to what this is?
> Thanks
> edz

Based on the information you have presented, I'd say that it is probably 
not a worm. Often machines that are compromised and used for Warez are 
also set up with scanning software (someone mentioned XScan; good guess 
if you ask me) and are used to scan other machines, looking for specific 
vulnerabilities. The "new owners" of the compromised machine then look 
through the scanner logs to see what machines are vulnerable to whatever 
they are looking for, and manually compromise them, and the cycle 


Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota

"There are 10 types of people in this world. Those who
understand binary and those who don't."

More information about the unisog mailing list