Conclusion: TCP port 139 probes

[Pavel Kankovsky <peak () argo troja mff cuni cz>]

I have found the following files in c:\windows on multiple machines
probing port 139/tcp on addresses in my network (and having publicly
accessible shares (*)):

        MSVXD.EXE (58368 bytes)
        MSVXD16.DLL (54784 bytes)
        MSVXD32.DLL (81408 bytes)

According to http://www.sarc.com/avcenter/venc/data/w32.datom.worm.html,
these files indicate the presence of a worm called "Datom" that spreads
via publicly writeable shares.

Thanks to H C <keydet89 () yahoo com> who told me about the worm.

(*) Yes, I know I am not authorized to access disks of random braindead
lusers who share them without any kind protection. But I need 5 minutes
to examine such a disk while I'd need much longer to build a half-decent
honeypot. Anyway, those lusers should be happy I did not erase any of
their precious files just to teach them it is a bad idea to leave
them unprotected. Yes, I am evil.

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com