Educause Security Discussion mailing list archives

Re: Worm activity/port 445

From: Eric van Wiltenburg <vanwilt () UVIC CA>
Date: Fri, 4 Feb 2005 12:43:38 -0800

Yesterday our IPS suddenly detected a number of on-campus hosts
exploiting LSASS vulnerabilities to other on-campus hosts in our /16
address space, and then phoning home to an IRC server.

It appears to be another IRC bot, probably an SD.Bot variant (we
captured some definitive IRC traffic), and it appears a file called
"msfwe1.exe" is the culprit.

AV vendors don't seem to detect it yet, but googling shows that
virusscan.jotti.org says "behaveslike:win32.irc-backdoor" for that
filename.

Eric van Wiltenburg
Network Security Analyst
University of Victoria

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.

Current thread:

Worm activity/port 445 Craig Blaha (Feb 04)
- <Possible follow-ups>
- Re: Worm activity/port 445 Matt Kirchhoff (Feb 04)
- Re: Worm activity/port 445 Kevin Pait (Feb 04)
- Re: Worm activity/port 445 Eric van Wiltenburg (Feb 04)
- Re: Worm activity/port 445 Gary Flynn (Feb 04)
- Re: Worm activity/port 445 Mark Wilson (Feb 04)
- Re: Worm activity/port 445 Peter Charbonneau (Feb 07)
- Re: Worm activity/port 445 Joseph Vieira (Feb 07)
- Re: Worm activity/port 445 Valdis Kletnieks (Feb 07)
- Re: Worm activity/port 445 Yantis, Jonathan Lindsey (Feb 07)
- Re: Worm activity/port 445 James Riden (Feb 07)