Educause Security Discussion mailing list archives
Re: Worm activity/port 445
From: Eric van Wiltenburg <vanwilt () UVIC CA>
Date: Fri, 4 Feb 2005 12:43:38 -0800
Yesterday our IPS suddenly detected a number of on-campus hosts exploiting LSASS vulnerabilities to other on-campus hosts in our /16 address space, and then phoning home to an IRC server. It appears to be another IRC bot, probably an SD.Bot variant (we captured some definitive IRC traffic), and it appears a file called "msfwe1.exe" is the culprit. AV vendors don't seem to detect it yet, but googling shows that virusscan.jotti.org says "behaveslike:win32.irc-backdoor" for that filename. Eric van Wiltenburg Network Security Analyst University of Victoria ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Worm activity/port 445 Craig Blaha (Feb 04)
- <Possible follow-ups>
- Re: Worm activity/port 445 Matt Kirchhoff (Feb 04)
- Re: Worm activity/port 445 Kevin Pait (Feb 04)
- Re: Worm activity/port 445 Eric van Wiltenburg (Feb 04)
- Re: Worm activity/port 445 Gary Flynn (Feb 04)
- Re: Worm activity/port 445 Mark Wilson (Feb 04)
- Re: Worm activity/port 445 Peter Charbonneau (Feb 07)
- Re: Worm activity/port 445 Joseph Vieira (Feb 07)
- Re: Worm activity/port 445 Valdis Kletnieks (Feb 07)
- Re: Worm activity/port 445 Yantis, Jonathan Lindsey (Feb 07)
- Re: Worm activity/port 445 James Riden (Feb 07)