Security Incidents mailing list archives
Re: Netbios Name Scans/opaserv worm
From: H C <keydet89 () yahoo com>
Date: Thu, 6 Feb 2003 14:02:50 -0800 (PST)
Is there any legitimate reason for these types of random netbios name scans, or any netbios name scan for that matter?
Hhhhmmmm...a traffic capture might be something to do. Or, when the traffic occurs, run fport on the system to see which process is using the source port...
Also, does anyone know if there is any way to remotely detect this worm on a machine without running a local virus scan?
Well, depending on the variant, it should be pretty easy to do: http://www.sarc.com/avcenter/venc/data/w32.opaserv.worm.html Seems all you have to do is scan for the files on the root of the drive, or even easier is the Registry key. I run monthly scans to check the ubiquitous Run key, as well as others...using Perl, of course. __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Netbios Name Scans/opaserv worm rocky_scotti (Feb 06)
- Re: Netbios Name Scans/opaserv worm H C (Feb 06)