Educause Security Discussion mailing list archives
Re: New Virus/Trojan/...?
From: James Riden <j.riden () MASSEY AC NZ>
Date: Tue, 5 Oct 2004 10:00:26 +1300
Jason Brooks <brooksje () LONGWOOD EDU> writes:
Beginning about 16:45 EDT on Sunday 3 Oct 2004, we began seeing high levels of port scanning for port 445 from our students. We have obtained one laptop for analysis. Here are our findings: Process Quicktimee.exe is opening numerous outbound connections to destination port 445 (Note extra "e"). The box is Win2K SP4, McAfee A/V (7.1) current definitions (4396).
<snip>
So, with that, does it look familiar to anyone? McAfee doesn't know it, and can't turn up anything seemingly related in Google, etc. Suggestions/Help?
Try connecting it to a Windows box (patched up to date), or honeypot of some kind and then get a tcpdump log - both to see the scanning pattern and to try to capture the payload that's probably going to be sent to port 445. I've seen some Welchia.B or Korgo-like activity recently, trying to exploit 445/tcp. cheers, Jamie -- James Riden / j.riden () massey ac nz / Systems Security Engineer Information Technology Services, Massey University, NZ. GPG public key available at: http://www.massey.ac.nz/~jriden/ ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- New Virus/Trojan/...? Jason Brooks (Oct 04)
- <Possible follow-ups>
- Re: New Virus/Trojan/...? James Riden (Oct 04)
- Re: New Virus/Trojan/...? Scott Weeks (Oct 04)
- Re: New Virus/Trojan/...? Jason Brooks (Oct 06)
- Re: New Virus/Trojan/...? Wayne J. Hauber (Oct 06)
- Re: New Virus/Trojan/...? Jason Brooks (Oct 07)
- Re: New Virus/Trojan/...? Justin Azoff (Oct 07)
- Re: New Virus/Trojan/...? Wayne J. Hauber (Oct 07)