Educause Security Discussion mailing list archives
Re: explorexp.exe
From: "Borne, Chris" <cborne () REGIS EDU>
Date: Tue, 16 Nov 2004 17:31:55 -0700
We started seeing this a week or so ago. If I'm repeating someone's post, I apologize. I haven't had time to keep up with my lists this week. It causes large spikes in network traffic, and has been disruptive sporadically. The list of files we found related to this are: bling.exe secmgr16.exe secmgr32.exe fukerz.exe o. o.bat svhost.exe O has an IP of a remote location, the worm appears to start a DDoS on it. These IP's vary form PC to PC. This seems to use the sasser vulnerability. When infected, the PC's appear to have a firewall, and we could not push patches out to them. I think the worm is referenced somewhere by one of the major AV vendors as bling. I was not a primary player on this one, and that's all I recall on this one. If you're stuck, email me off-list and I can have someone get to you with how we've been fighting this. Chris Borne Systems Manager Regis University -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Shawn Kohrman Sent: Tuesday, November 16, 2004 1:51 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] explorexp.exe We're seeing machines scanning on TCP 445 that have the file explorexp.exe installed on them. In certain cases we've also found a file called "o" that contained an ftp script to download the explorexp.exe file from other host with the same characteristics. Is anyone else seeing this? Shawn ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- explorexp.exe Shawn Kohrman (Nov 16)
- <Possible follow-ups>
- Re: explorexp.exe Borne, Chris (Nov 16)