[unisog] worm that looks for 139, 1433 and 2967

Scott Fendley scottf at uark.edu
Sun Feb 18 15:40:05 GMT 2007

For collecting malware samples, i would recommend a specialized 
honeypot known as nepenthes.  It emulates many of the most attacked 
services, attempts to decode the file transfer mechanism being used 
by the attacking computer and downloads the file for analysis.

However, in this case it may be easier to go to a known infected 
computer  and use tools like TcpView, Process Explorer, or similar 
utilities to identify where the malware is running.  Stopping the 
process on the infected computer and offloading the malware sample to 
a USB key.  Then you can upload it to a place like 
http://www.virustotal.com/en/indexf.html and see if any of the major 
AV providers are detecting it.  If it is not widely detected, you are 
more then welcome to submit the sample to the Internet Storm Center 
where the incident handlers can do more advanced analysis or even 
send it to a master list of AV submission addresses.

At 07:13 PM 2/17/2007, you wrote:
>No. I didn't get it in my tiny little purview (that I know about ... yet)
>What is the method of choice these days for collecting specimens 
>(other than real windows machines that get viruses)?  I have a 
>machine that acts as a sensor that could get a makeover into a sort 
>of honeypot.
>On 2/17/07, C. Hamby <<mailto:fixer at gci.net>fixer at gci.net> wrote:
>Sounds like it could be one of the endless
>Agobot/Phatbox/xbot-of-the-week variants.  Have you managed to recover
>any specimens?
>power less wrote:
> > I noticed a bunch of hosts on our campus were infected yesterday with
> > something
> > which caused them to scan for 139,1433 and 2967. Anyone else see that?
> > Anyone have any info?
> > seems to me the previous round of malware that included 2967 also looked
> > for 5900
> > so this could be somewhat different?
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > unisog mailing list
> > <mailto:unisog at lists.dshield.org>unisog at lists.dshield.org
> > https://lists.sans.org/mailman/listinfo/unisog
>unisog mailing list
><mailto:unisog at lists.dshield.org>unisog at lists.dshield.org
>unisog mailing list
>unisog at lists.dshield.org

More information about the unisog mailing list