[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re:[Full-Disclosure] Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127
- To: full-disclosure@xxxxxxxxxxxxxxxx
- Subject: Re:[Full-Disclosure] Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127
- From: "Ian Latter" <Ian.Latter@xxxxxxxxx>
- Date: Sat, 24 Apr 2004 11:04:51 +1000
We saw this a week+ ago ... I'm pretty sure the support peeps found that
this was a recent Netsky variant (V?) .. not sure. It was just a bit too
new for the Virus scanner at that time.
----- Original Message -----
>From: "Willem Koenings" <isec@xxxxxxxxxx>
>To: <full-disclosure@xxxxxxxxxxxxxxxx>
>Subject: [Full-Disclosure] Re: Outbreak of a virus on campus, scanning tcp
80/6129/1025/3127
>Date: Fri, 23 Apr 2004 10:38:23 -0500
>
>
> > Sound familiar to anyone?
>
> Today catched worm wmiprvsw.exe. This worm incorporates
> stealth capabilities - it hides it's process in memory and
> also it's exe is not seen in directory listing, when worm
> is active. Although it does not hide registry entries, it
> shuts down regedit, when regedit is executed. It creates
> two registry entries 'System Updater Service' under Run
> and RunServices.
>
> Then it starts scan following ports :
>
> 2745
> 135
> 1025
> 445
> 3127
> 6129
> 139
> 3140
>
> Thats all for now - weekend :)
>
> W.
> --
> ___________________________________________________________
> Sign-up for Ads Free at Mail.com
> http://promo.mail.com/adsfreejump.htm
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
--
Ian Latter
Internet and Networking Security Officer
Macquarie University
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html