nanog mailing list archives
RE: New Worm
From: "Hire, Ejay" <Ejay.Hire () Broadslate net>
Date: Fri, 14 Sep 2001 11:25:17 -0400
I was in error. This is not a new worm. Just an old one that won't die. http://www.Symantec.com/avcenter/venc/data/w32.hllw.bymer.html <http://www.Symantec.com/avcenter/venc/data/w32.hllw.bymer.html> Apologies. -----Original Message----- From: Ejay Hire [mailto:Ejay.hire () broadslate net] Sent: Friday, September 14, 2001 12:04 PM To: nanog () merit edu Subject: New Worm My Honeypot was infected with a new self-replicating worm yesterday. It appears to check for open win95/98/me netbios shares with read/write permission and installs wininit.exe (the scanner/infector) and the distributed.net client (In quiet Mode). Upon reboot, the scanner will start and search for infectable hosts during periods of inactivity. The windows 2000 pro pc seems unaffected. I will make the files available for dis-assembly if anyone is interested. To check for infection, look for the following files in c:/windows/system wininit.exe --Application wininit.log --Apparent Log file info.dll --Apparent Log file dnetc.exe -- Distributed.net client dnetc.ini -- Distributed.net config Buff-in.* -- Distributed.net work units ms216.exe -- Unknown, but the timestamp matched the other files...
Current thread:
- New Worm Ejay Hire (Sep 14)
- Re: New Worm Jeff Gehlbach (Sep 14)
- <Possible follow-ups>
- RE: New Worm Hire, Ejay (Sep 14)
- RE: New Worm Roeland Meyer (Sep 14)