Re: explorexp.exe

["Borne, Chris" <cborne () REGIS EDU>]

 We started seeing this a week or so ago.  If I'm repeating someone's
post, I apologize.  I haven't had time to keep up with my lists this
week. 

It causes large spikes in network traffic, and has been disruptive
sporadically.   The list of files we found related to this are:

bling.exe
secmgr16.exe
secmgr32.exe
fukerz.exe
o.
o.bat
svhost.exe

O has an IP of a remote location, the worm appears to start a DDoS on
it.  These IP's vary form PC to PC.  This seems to use the sasser
vulnerability.  When infected, the PC's appear to have a firewall, and
we could not push patches out to them.  I think the worm is referenced
somewhere by one of the major AV vendors as bling.  I was not a primary
player on this one, and that's all I recall on this one.  If you're
stuck, email me off-list and I can have someone get to you with how
we've been fighting this.

Chris Borne
Systems Manager
Regis University  

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Shawn Kohrman
Sent: Tuesday, November 16, 2004 1:51 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] explorexp.exe

We're seeing machines scanning on TCP 445 that have the file
explorexp.exe installed on them.  In certain cases we've also found a
file called "o" that contained an ftp script to download the
explorexp.exe file from other host with the same characteristics.  Is
anyone else seeing this?

Shawn

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.