[unisog] Nachi and NetFlow

Harris, Michael C. HarrisMC at health.missouri.edu
Thu Oct 30 14:29:56 GMT 2003


One possible scenario we have encountered that matches your symptoms:

We had found several machines to be exhibiting the on again and off again behavior 
what we found is that the host was actually a RAS server and users connected were infected

Welchia/Blaster is not on the host you see connected to your network it is on a machine dialed into its RAS service and is trying to propagate using one of the RAS pool addresses that is also why NAV on the local device cant find the infection.

-------------------------------------------------------------------
Michael C Harris
System Security Analyst - GSEC
University of Missouri Health Center
harrismc at health.missouri.edu  KC0PAH
-------------------------------------------------------------------




-----Original Message-----
From: Sheil, Sean [mailto:SEAN at mail.nwmissouri.edu]
Sent: Wednesday, October 29, 2003 11:25 PM
To: 'Mitch Collinsworth'; Lois Lehman
Cc: Scott Genung; unisog at sans.org
Subject: RE: [unisog] Nachi and NetFlow


	We have had about 20 PC's that I have located this week where NAV
was perfectly happy.  However when I had the users run an online virus scan,
blaster or nachi was found.  These were personal machines that we do not
have a lot of control over.
	I am doing some research, but it appears that the worm is starting
and stopping it's scans.

Sean

-----Original Message-----
From: Mitch Collinsworth [mailto:mitch at ccmr.cornell.edu]
Sent: Wednesday, October 29, 2003 8:12 PM
To: Lois Lehman
Cc: Scott Genung; unisog at sans.org
Subject: RE: [unisog] Nachi and NetFlow



Today one of my staff told me about a new one he's started seeing
that manages to hide all traces of itself from NAV.  He was finally
able to find it by sharing the C: drive to another machine, mounting
it on that machine and scanning it from there.   (!)

-Mitch




More information about the unisog mailing list