Re:Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127

["Ian Latter" <Ian.Latter () mq edu au>]

We saw this a week+ ago ... I'm pretty sure the support peeps found that
this was a recent Netsky variant (V?) .. not sure.  It was just a bit too 
new for the Virus scanner at that time.



----- Original Message -----
> From: "Willem Koenings" <isec () europe com>
> To: <full-disclosure () lists netsys com>
> Subject:  [Full-disclosure] Re: Outbreak of a virus on campus, scanning tcp 
80/6129/1025/3127
> Date: Fri, 23 Apr 2004 10:38:23 -0500
>
>
> > Sound familiar to anyone?
>
> Today catched worm wmiprvsw.exe. This worm incorporates
> stealth capabilities - it hides it's process in memory and
> also it's exe is not seen in directory listing, when worm
> is active. Although it does not hide registry entries, it
> shuts down regedit, when regedit is executed.  It creates
> two registry entries 'System Updater Service' under Run
> and RunServices.
>
> Then it starts scan following ports :
>
> 2745
> 135
> 1025
> 445
> 3127
> 6129
> 139
> 3140
>
> Thats all for now - weekend :)
>
> W.
> -- 
> ___________________________________________________________
> Sign-up for Ads Free at Mail.com
> http://promo.mail.com/adsfreejump.htm
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

--
Ian Latter
Internet and Networking Security Officer
Macquarie University

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html