Security Incidents mailing list archives
Re: new scanner tool or blind luck?
From: Thierry <thierry () PURGE-IT COM>
Date: Mon, 14 Aug 2000 01:40:35 +0100
Hello, This could be Win32.Chainsaw NAME: Win32.Chainsaw v1.00 TYPE: NetBios/SubSeven/NetBus worm. AUTHOR: T-2000 / Immortal Riot. E-MAIL: T2000_ () hotmail com PAYLOAD: Sector trashing. FEATURES: - Disables ZoneAlarm firewall. - Not visible in 9x tasklist. - Sends usenet message on installation. - DoS'es random hosts on 31st of any month. - Anti-debugging code. Randomly scans the Internet for hosts running either SubSeven 2, NetBus 1, or NetBios, and then installs itself in the systems it can get access to. It's main payload is to IGMP DoS random Internet hosts on every 31st of the month, which will BSOD every released version of Windoze 95/98 that isn't patched or firewalled. ---> infos found on TLSecurity So the question is if you also noticed scans on port 12345 (netbus) and 1243 (If my memory is good) (subseven) from the same IP ranges, if yes, this could be the explanation for it. Thierry http://www.purge-it.com/?incidents
Current thread:
- new scanner tool or blind luck? T. Esting (Sep 13)
- Re: new scanner tool or blind luck? Thierry (Sep 13)
- Re: new scanner tool or blind luck? Ken Armstrong (Sep 14)
- Re: new scanner tool or blind luck? Thomas Molina (Sep 14)
- Re: new scanner tool or blind luck? Harlan S. Barney, Jr. (Sep 14)
- Re: new scanner tool or blind luck? Josh Brandt (Sep 14)
- Re: new scanner tool or blind luck? George Bakos (Sep 14)
- Re: new scanner tool or blind luck? Randy Mclean (Sep 14)
- Re: new scanner tool or blind luck? George Bakos (Sep 14)
- Re: new scanner tool or blind luck? Randy Mclean (Sep 14)
- Re: new scanner tool or blind luck? Randy Mclean (Sep 14)
- <Possible follow-ups>
- Re: new scanner tool or blind luck? T. Esting (Sep 14)