Educause Security Discussion mailing list archives

Re: New Virus/Trojan/...?

From: James Riden <j.riden () MASSEY AC NZ>
Date: Tue, 5 Oct 2004 10:00:26 +1300

Jason Brooks <brooksje () LONGWOOD EDU> writes:

Beginning about 16:45 EDT on Sunday 3 Oct 2004, we began seeing high levels
of port scanning for port 445 from our students.  We have obtained one
laptop for analysis.  Here are our findings:

        Process Quicktimee.exe is opening numerous outbound connections to
destination port 445 (Note extra "e").
        The box is Win2K SP4, McAfee A/V (7.1) current definitions (4396).

<snip>

So, with that, does it look familiar to anyone?  McAfee doesn't know it, and
can't turn up anything seemingly related in Google, etc.

Suggestions/Help?


Try connecting it to a Windows box (patched up to date), or honeypot
of some kind and then get a tcpdump log - both to see the scanning
pattern and to try to capture the payload that's probably going to be
sent to port 445.

I've seen some Welchia.B or Korgo-like activity recently, trying to
exploit 445/tcp.

cheers,
 Jamie
--
James Riden / j.riden () massey ac nz / Systems Security Engineer
Information Technology Services, Massey University, NZ.
GPG public key available at: http://www.massey.ac.nz/~jriden/

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.

Current thread:

New Virus/Trojan/...? Jason Brooks (Oct 04)
- <Possible follow-ups>
- Re: New Virus/Trojan/...? James Riden (Oct 04)
- Re: New Virus/Trojan/...? Scott Weeks (Oct 04)
- Re: New Virus/Trojan/...? Jason Brooks (Oct 06)
- Re: New Virus/Trojan/...? Wayne J. Hauber (Oct 06)
- Re: New Virus/Trojan/...? Jason Brooks (Oct 07)
- Re: New Virus/Trojan/...? Justin Azoff (Oct 07)
- Re: New Virus/Trojan/...? Wayne J. Hauber (Oct 07)