New worm?

Edward Zawacki edz at
Wed Nov 26 13:29:26 GMT 2003

We are seeing a new worm (new to us at least ;).

It is scanning random IP addresses on ports 135 and 445. It has
scanned on sequential addresses 4 times though (unless that was
a separate beast).

Once a machine is infected, several random ports are opened
and at least one of them appears to be attempting to send
an executable.

On the few we scanned, port 1019 answers with:

220 an Cr3w Site^M^M
221 l8r...

The one machine that we looked at had a registry
entry in HKLM../RunServices for "Windows Updater"
with a value of "svthost.exe".

Norton run on the machine picked up Welchia and
quarantined two files. Welchia never scanned on
port 445 though...

Any ideas as to what this is?


More information about the unisog mailing list