[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
New Worm/Virus April 8th
- To: <appsec-research@xxxxxxxxxxxx>
- Subject: New Worm/Virus April 8th
- From: "Polazzo Justin" <Justin.Polazzo@xxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 8 Apr 2004 09:53:17 -0400
Concerning the new worm type infection spreading around today (6:15am EST)
the file is called ndemon.exe (.99k) and it puts itself into c:\winnt and
c:winnt\system32. Registry entries HKLM\Software|Microsoft|CurrentVersion\Run
and HKLM\Software|Microsoft|CurrentVersion\RunServices (Think it creates that
one).
At first look:
it then tries to propagate itself via MS ports 135, and 139 VIA known flaws and
password guessing. It also listens for other infected machines on port 1025 and
scans for MS IIS boxes on port 80 (to try known exploits as well)
The infected machines were win2k SP4 (fully Patched) Running Symantec AV v8.6
Just a heads up
jp
Justin Polazzo
CSS II, Facilities IT
Georgia Institute of Technology
915 Atlantic Drive
Atlanta, GA 30332-0350
404-894-6804 Voice
404-894-8088 Facsimile
justin.polazzo@xxxxxxxxxxxxxxxxxxxxx
Request assistance at < http://it.facilities.gatech.edu/it-helpdesk.php>
Submit a question or comment at < http://it.facilities.gatech.edu/comments.php>
http://www.cauce.org A site to help fight Spam
The information transmitted is intended only for the person or entity to which
it is addressed and may contain confidential and/or privileged material. Any
review, retransmission, dissemination or other use of, or taking of any action
in reliance upon, this information by persons or entities other than the
intended recipient is prohibited.
If you received this in error, please contact the sender and delete the
material from any computer.