RE: New variant of Nachi ?

["Discini, Sonny" <Sonny.Discini () montgomerycountymd gov>]

On the hosts that are infected, are you seeing TCP port 707 open? This
is one of the consistant things that we are seeing. I guess it wouldn't
hurt to mention that most of the triggers here are identifying this as
W32.Welchia while others are identifying it as Nachia.


Sonny Discini
Network Security Engineer
Department of Technical Services
Enterprise Infrastructure Division
Montgomery County Government


-----Original Message-----
From: Helmut Springer [mailto:delta () faveve uni-stuttgart de] 
Sent: Wednesday, October 29, 2003 2:59 AM
To: full-disclosure () lists netsys com
Subject: Re: [Full-disclosure] New variant of Nachi ?


Hi,


On 29 Oct 2003 at 12:54 +0100, KF wrote:
> https://gtoc.iss.net/issEn/delivery/gtoc/index.jsp
>
> hreat Forecast
>
> Our analysts are aware of a worm actively exploiting flaws addressed 
> under Microsoft Security Bulletin MS03-026 and MS03-039. This worm 
> activity is consistent with a variation of the Nachi or LovSan worms.

> Once a host is infected, it will attempt to propagate outbound via 
> port 445.

Has anyone seen any evidence besides this and the two postings on public
lists?  No real trace after more than 24h it seems...


-- 
MfG/Best Regards,                  "If we keep our pride...
helmut springer                     Though paradise is lost
                                    We will pay the price,
                                    But we will not count the cost."

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html