Educause Security Discussion mailing list archives
Re: Worm activity/port 445
From: Matt Kirchhoff <mek () PDX EDU>
Date: Fri, 4 Feb 2005 12:05:42 -0800
Quoth Craig Blaha on 2/4/2005 11:54 AM:
We're seeing a lot of 445 scanning and an increasing rate of infection - users complaining about a wide array of pop-ups, redirects and other spyware type symptoms, slowing their systems to a crawl.
We're seeing this as well, and have been for several months. Most of the 445 activity is a result of SDBOT (Symantec name) variants. 445 attacks are still #1 on the ISC top 10 list (http://isc.sans.org/top10.php). The majority of ResNet systems we see with viral infections are infected with this, as it spreads easily through weak admin passwords *or* Windows vulnerabilities, depending on the variant. Generally an executable is added to Windows\System32 (WinXP) and an entry added to the assorted "Run" keys in the registry. Executable names vary quite a bit. Manual removal seems to be the modus operandi. -- Matt Kirchhoff Information Technology Consultant User Support Services Office of Information Technologies Portland State University mek () pdx edu ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- Worm activity/port 445 Craig Blaha (Feb 04)
- <Possible follow-ups>
- Re: Worm activity/port 445 Matt Kirchhoff (Feb 04)
- Re: Worm activity/port 445 Kevin Pait (Feb 04)
- Re: Worm activity/port 445 Eric van Wiltenburg (Feb 04)
- Re: Worm activity/port 445 Gary Flynn (Feb 04)
- Re: Worm activity/port 445 Mark Wilson (Feb 04)
- Re: Worm activity/port 445 Peter Charbonneau (Feb 07)
- Re: Worm activity/port 445 Joseph Vieira (Feb 07)
- Re: Worm activity/port 445 Valdis Kletnieks (Feb 07)
- Re: Worm activity/port 445 Yantis, Jonathan Lindsey (Feb 07)
- Re: Worm activity/port 445 James Riden (Feb 07)