Security Incidents mailing list archives
Conclusion: TCP port 139 probes
From: Pavel Kankovsky <peak () argo troja mff cuni cz>
Date: Fri, 12 Jul 2002 14:47:59 +0200 (MET DST)
I have found the following files in c:\windows on multiple machines probing port 139/tcp on addresses in my network (and having publicly accessible shares (*)): MSVXD.EXE (58368 bytes) MSVXD16.DLL (54784 bytes) MSVXD32.DLL (81408 bytes) According to http://www.sarc.com/avcenter/venc/data/w32.datom.worm.html, these files indicate the presence of a worm called "Datom" that spreads via publicly writeable shares. Thanks to H C <keydet89 () yahoo com> who told me about the worm. (*) Yes, I know I am not authorized to access disks of random braindead lusers who share them without any kind protection. But I need 5 minutes to examine such a disk while I'd need much longer to build a half-decent honeypot. Anyway, those lusers should be happy I did not erase any of their precious files just to teach them it is a bad idea to leave them unprotected. Yes, I am evil. --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation." ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Conclusion: TCP port 139 probes Pavel Kankovsky (Jul 12)