Re: Increase in Scans of Port 445?

[Thomas Schmitz <Thomas.Schmitz () dtms de>]

Rich,

I think it is the new worm called DELOADER and is described at the 
website of Tendmicro:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_DELODER.A

The German site http://www.heise.de has written today (in German only 
unfortunately) that the worm spreads via Windows network shares at port 
445. It tries to get access by a built-in list of 85 commonly known weak 
"Administrator" passwords. After getting access it writes a 
write-protected copy of itself in the Windows directory named 
Dvldr32.exe. Then it installs and runs a backdoor programm listening at 
port 5800. The backdoor programm hides itself as "Explorer.exe". The 
worm is spreading especially in China but may come to the US and Europe too.

Best regards,

Thomas.

Compton, Rich schrieb:
> Hey guys,
> I've noticed on Incidents.org (http://isc.incidents.org/port_details.html?port=445) that there is an increase in traffic to port 445.  Is this because of this "Dropper" virus?  I noticed that the MacAfee link (http://vil.nai.com/vil/content/v_100124.htm) stated that the risk of this virus is very low but if we are seeing such an increase in traffic to this port then it does seem like boxes are getting infected.  Perhaps it is more of a threat than was first considered (especially to home users). Is there some other method of preventing this worm from infecting a box other than turning off (or blocking) sharing? 
>
> Thanks,
> Rich Compton


----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>