Educause Security Discussion mailing list archives

Re: Worm activity/port 445

From: Matt Kirchhoff <mek () PDX EDU>
Date: Fri, 4 Feb 2005 12:05:42 -0800

Quoth Craig Blaha on 2/4/2005 11:54 AM:

We're seeing a lot of 445 scanning and an increasing rate of infection -
users complaining about a wide array of pop-ups, redirects and other
spyware type symptoms, slowing their systems to a crawl.


We're seeing this as well, and have been for several months. Most of the
445 activity is a result of SDBOT (Symantec name) variants. 445 attacks
are still #1 on the ISC top 10 list (http://isc.sans.org/top10.php).

The majority of ResNet systems we see with viral infections are infected
with this, as it spreads easily through weak admin passwords *or*
Windows vulnerabilities, depending on the variant.

Generally an executable is added to Windows\System32 (WinXP) and an
entry added to the assorted "Run" keys in the registry. Executable names
vary quite a bit. Manual removal seems to be the modus operandi.

--
Matt Kirchhoff
Information Technology Consultant
User Support Services
Office of Information Technologies
Portland State University
mek () pdx edu

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.

Current thread:

Worm activity/port 445 Craig Blaha (Feb 04)
- <Possible follow-ups>
- Re: Worm activity/port 445 Matt Kirchhoff (Feb 04)
- Re: Worm activity/port 445 Kevin Pait (Feb 04)
- Re: Worm activity/port 445 Eric van Wiltenburg (Feb 04)
- Re: Worm activity/port 445 Gary Flynn (Feb 04)
- Re: Worm activity/port 445 Mark Wilson (Feb 04)
- Re: Worm activity/port 445 Peter Charbonneau (Feb 07)
- Re: Worm activity/port 445 Joseph Vieira (Feb 07)
- Re: Worm activity/port 445 Valdis Kletnieks (Feb 07)
- Re: Worm activity/port 445 Yantis, Jonathan Lindsey (Feb 07)
- Re: Worm activity/port 445 James Riden (Feb 07)