[unisog] New worm?

Kevin T. Shivers kts at umd.edu
Sat Nov 29 15:51:13 GMT 2003

As someone else said, it looks like some warez crew has found your domain 
and thought it would be ripe for setting up Pubstros on.  They are 
probably using something like XScan (from http://www.xfocus.org) or some 
other vulnerability scanner, focusing on NetBIOS vulnerabilities to break 
into the machines and then set up their Pubstros.

Since you said you found Welchia on the machine when you ran Norton either 
the machine was previously infected or the warez crew is using a modified 
version of the dcom.c or Welchia code to break in.

Filtering port 135 and port 445 at your border should help prevent this.


Kevin T. Shivers

IT Security Analyst                                CSS4417
Office of Information Technology            (301) 405-8836
University of Maryland, College Park
OIT Security: (301) 226 HACK

On Wed, 26 Nov 2003, Edward Zawacki wrote:

> We are seeing a new worm (new to us at least ;).
> It is scanning random IP addresses on ports 135 and 445. It has
> scanned on sequential addresses 4 times though (unless that was
> a separate beast).
> Once a machine is infected, several random ports are opened
> and at least one of them appears to be attempting to send
> an executable.
> On the few we scanned, port 1019 answers with:
> 220 an Cr3w Site^M^M
> 221 l8r...
> The one machine that we looked at had a registry
> entry in HKLM../RunServices for "Windows Updater"
> with a value of "svthost.exe".
> Norton run on the machine picked up Welchia and
> quarantined two files. Welchia never scanned on
> port 445 though...
> Any ideas as to what this is?
> Thanks
> edz

More information about the unisog mailing list