Educause Security Discussion mailing list archives
Re: Worm activity/port 445
From: Kevin Pait <kevin.pait () UNCP EDU>
Date: Fri, 4 Feb 2005 15:21:30 -0500
We've been fighting this problem for the past two weeks. It seems that the virus we have been afflicted with is an unknown variant of the W32/Sdbot.worm. The variant we have drops a virus called Qhost which causes pc's to redirect away from common anti-virus sites, windows updates, etc. McAfee provided an extra.dat to try and combat the worm but it hasn't worked well. Their latest definition file has seemed to rid the virus from some systems while others can't totally shake it. It has been very time consuming for our support staff as our only totally successful recourse has been to format, reinstall, and apply updates totally offline. Check traffic on ports 135, 445, and 1025 - this is how we have identified afflicted pc's. Affected machines are W2000 and XP - some having most of their updates and latest virus definitions in place. Good luck. _____ From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Craig Blaha Sent: Friday, February 04, 2005 2:55 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Worm activity/port 445 We're seeing a lot of 445 scanning and an increasing rate of infection - users complaining about a wide array of pop-ups, redirects and other spyware type symptoms, slowing their systems to a crawl. Anyone else seeing something similar? Craig -- Craig Blaha Associate Director Information Policy, Security and Web Development The College of New Jersey PO Box 7718 Ewing, NJ 08628 www.tcnj.edu -------------------------------------------------------------- Reminder: E-mail sent through the Internet is not secure. Do not use e-mail to send confidential information such as credit card numbers, changes of address, PIN numbers, passwords, or other important information. Your e-mail message is not private in that it is subject to review by the College, its officers, agents and employees. -------------------------------------------------------------- ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Worm activity/port 445 Craig Blaha (Feb 04)
- <Possible follow-ups>
- Re: Worm activity/port 445 Matt Kirchhoff (Feb 04)
- Re: Worm activity/port 445 Kevin Pait (Feb 04)
- Re: Worm activity/port 445 Eric van Wiltenburg (Feb 04)
- Re: Worm activity/port 445 Gary Flynn (Feb 04)
- Re: Worm activity/port 445 Mark Wilson (Feb 04)
- Re: Worm activity/port 445 Peter Charbonneau (Feb 07)
- Re: Worm activity/port 445 Joseph Vieira (Feb 07)
- Re: Worm activity/port 445 Valdis Kletnieks (Feb 07)
- Re: Worm activity/port 445 Yantis, Jonathan Lindsey (Feb 07)
- Re: Worm activity/port 445 James Riden (Feb 07)