Security Incidents mailing list archives
Re: Unusual volume: UDP:137 probes
From: James Sneeringer <james+incidents () vincentsystems com>
Date: Tue, 1 Oct 2002 15:26:49 -0500
On Tue, Oct 01, 2002 at 06:45:22PM +0200, Axel Pettinger wrote: | Yesterday morning I sent a file (name: SCRSVR.EXE) into various anti | virus labs and asked them to confirm my suspicion that it was a new | open share worm. Since this morning my suspicion is confirmed. I think | that it is related with the reports of "unusually high volumes of | UDP:137 probes". It's the same malicious program Mark Forsyth has | already mentioned. It looks as though it can be distinguished from legitimate NetBIOS traffic. Normal udp/137 will have 137 as the source and destination (for file shares, anyway). This worm uses an arbitrary 1024+ source port. -James ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: Unusual volume: UDP:137 probes, (continued)
- RE: Unusual volume: UDP:137 probes Joseph R. Gruber (Sep 30)
- Re: Unusual volume: UDP:137 probes Hugo van der Kooij (Sep 30)
- SV: Unusual volume: UDP:137 probes Peter Kruse (Oct 01)
- Re: Unusual volume: UDP:137 probes Christopher Albert (Sep 30)
- RE: Unusual volume: UDP:137 probes Richard . Grant (Oct 01)
- RE: Unusual volume: UDP:137 probes Nick FitzGerald (Oct 03)
- Re: Unusual volume: UDP:137 probes Alain Fauconnet (Oct 04)
- Re: Unusual volume: UDP:137 probes Matt Power (Oct 05)
- RE: Unusual volume: UDP:137 probes Nick FitzGerald (Oct 03)
- RE: Unusual volume: UDP:137 probes Scott, Michael R. (Oct 01)
- Re: Unusual volume: UDP:137 probes Axel Pettinger (Oct 01)
- Re: Unusual volume: UDP:137 probes James Sneeringer (Oct 01)
- maybe a simple problem Andrew Fison (Oct 02)
- Re: maybe a simple problem Igor D. Spivak (Oct 02)
- RE: maybe a simple problem Greg Reber (Oct 03)
- Re: maybe a simple problem Brad Arlt (Oct 03)
- Re: Unusual volume: UDP:137 probes James Sneeringer (Oct 01)
- Re: Unusual volume: UDP:137 probes John Sage (Oct 01)