[unisog] RE: very high Inbound 1025 traffic increase

Harris, Michael C. HarrisMC at health.missouri.edu
Fri Apr 1 22:59:50 GMT 2005

Not much of a real threat here, except for the DOS effect the wave front had on our FW,

I'd be interested in a full capture, if you have a sample
And a list of registry changes for our incident report

Also sources were all over the map.
We have found no correlation yet into groups of bots as a launch point or anything like that

Mike Harris
System Security Analyst & Instructor
University Of Missouri Health Center
harrismc at health.missouri.edu  KCØPAH

-----Original Message-----
From: unisog-bounces at lists.sans.org [mailto:unisog-bounces at lists.sans.org] On Behalf Of Landau, Gary
Sent: Friday, April 01, 2005 3:56 PM
To: unisog at lists.sans.org
Subject: [unisog] RE: very high Inbound 1025 traffic increase

We've had a big influx of port 1025 traffic as well.  It appears to be some sort of worm and we've had three Windows 2000 servers infected.  They would run a process call SVHOST (not to be mistaken with SVCHOST) and it would prevent them from installing security patches or running TaskManager.

Cleaning them wasn't easy either.  Our Symantec anti-virus wouldn't detect it, so we had to do a manual cleanup.  We had to boot in safe mode and remove the registry calls that start up the SVHOST process, and then delete the SVHOST file(s).

Gary Landau
Director, Network Services
Loyola Marymount University
glandau at lmu.edu


More information about the unisog mailing list