[unisog] New worm?
Kevin T. Shivers
kts at umd.edu
Sat Nov 29 15:51:13 GMT 2003
As someone else said, it looks like some warez crew has found your domain
and thought it would be ripe for setting up Pubstros on. They are
probably using something like XScan (from http://www.xfocus.org) or some
other vulnerability scanner, focusing on NetBIOS vulnerabilities to break
into the machines and then set up their Pubstros.
Since you said you found Welchia on the machine when you ran Norton either
the machine was previously infected or the warez crew is using a modified
version of the dcom.c or Welchia code to break in.
Filtering port 135 and port 445 at your border should help prevent this.
Kevin T. Shivers
IT Security Analyst CSS4417
Office of Information Technology (301) 405-8836
University of Maryland, College Park
OIT Security: (301) 226 HACK
On Wed, 26 Nov 2003, Edward Zawacki wrote:
> We are seeing a new worm (new to us at least ;).
> It is scanning random IP addresses on ports 135 and 445. It has
> scanned on sequential addresses 4 times though (unless that was
> a separate beast).
> Once a machine is infected, several random ports are opened
> and at least one of them appears to be attempting to send
> an executable.
> On the few we scanned, port 1019 answers with:
> 220 an Cr3w Site^M^M
> 221 l8r...
> The one machine that we looked at had a registry
> entry in HKLM../RunServices for "Windows Updater"
> with a value of "svthost.exe".
> Norton run on the machine picked up Welchia and
> quarantined two files. Welchia never scanned on
> port 445 though...
> Any ideas as to what this is?
More information about the unisog