Security Incidents mailing list archives

Re: Unusual volume: UDP:137 probes

From: Axel Pettinger <api () epost de>
Date: Tue, 01 Oct 2002 18:45:22 +0200

John Sage wrote:


This has received some mention on the UNISOG list and elsewhere, but
not here.

Some people have been seeing unusually high volumes of UDP:137 probes
since about 09/27/02 late, or early 09/28/02.


Yesterday morning I sent a file (name: SCRSVR.EXE) into various anti 
virus labs and asked them to confirm my suspicion that it was a new
open share worm. Since this morning my suspicion is confirmed. I think
that it is related with the reports of "unusually high volumes of 
UDP:137 probes". It's the same malicious program Mark Forsyth has 
already mentioned.

Here's more info about that open share worm:

SCRSVR.EXE, identified as ("older" identifications included) ...

    CA Vet RESCUE              : Win32.Opaserv.A (trojan)
    Dialogue Science DrWebWCL  : Win32.HLLW.Opasoft
    ESET NOD32DOS              : Win32/Opaserv.A
    GeCAD RAVAV                : Win32/Opaserv.A.worm
    Ikarus PSCAN               : Worm.Psp.Opasoft.A
    Kaspersky Lab KAVDOS32     : Backdoor.Opasoft -> Worm.Win32.Opasoft.a
    McAfee SCANPM              : BackDoor-ALB -> W32/Scrup.worm -> W95/Scrup.worm
    Norman NVC                 : W32/Opaserv.A
    Panda Antivirus PAVCL      : Bck/Opasoft -> W32/Opaserv
    SOFTWIN BDDOSC             : Trojan.Omageneer.A -> Win32.Worm.Opaserv.A
    Sophos SWEEP               : W32/Opaserv-A
    Symantec NAV CE VSCAND     : W32.Opaserv.Worm
    Trend Micro VSCAN32        : BKDR_OPASOFT.A -> WORM_OPASOFT.A

Descriptions:
http://www.sarc.com/avcenter/venc/data/w32.opaserv.worm.html
http://www.sophos.com/virusinfo/analyses/w32opaserva.html
http://vil.nai.com/vil/content/v_99729.htm
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_OPASOFT.A
http://www3.ca.com/virusinfo/Virus.asp?ID=13234
http://www.europe.f-secure.com/v-descs/opasoft.shtml
http://www.kav.ch/avpve/worms/win32/opasoft.stm
http://www.norman.no/virus_info/w32_opaserv_a.shtml

Removal tool:
http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.worm.removal.tool.html

Regards,
Axel Pettinger

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

RE: Unusual volume: UDP:137 probes, (continued)
- RE: Unusual volume: UDP:137 probes Mark Forsyth (Sep 30)
- RE: Unusual volume: UDP:137 probes Joseph R. Gruber (Sep 30)
- Re: Unusual volume: UDP:137 probes Hugo van der Kooij (Sep 30)
  - SV: Unusual volume: UDP:137 probes Peter Kruse (Oct 01)
- Re: Unusual volume: UDP:137 probes Christopher Albert (Sep 30)
- RE: Unusual volume: UDP:137 probes Richard . Grant (Oct 01)
  - RE: Unusual volume: UDP:137 probes Nick FitzGerald (Oct 03)
    - Re: Unusual volume: UDP:137 probes Alain Fauconnet (Oct 04)
    - Re: Unusual volume: UDP:137 probes Matt Power (Oct 05)
- RE: Unusual volume: UDP:137 probes Scott, Michael R. (Oct 01)
- Re: Unusual volume: UDP:137 probes Axel Pettinger (Oct 01)
  - Re: Unusual volume: UDP:137 probes James Sneeringer (Oct 01)
    - maybe a simple problem Andrew Fison (Oct 02)
    - Re: maybe a simple problem Igor D. Spivak (Oct 02)
    - RE: maybe a simple problem Greg Reber (Oct 03)
    - Re: maybe a simple problem Brad Arlt (Oct 03)
- RE: Unusual volume: UDP:137 probes Scott, Michael R. (Oct 01)
  - Re: Unusual volume: UDP:137 probes John Sage (Oct 01)
- Re: Unusual volume: UDP:137 probes Maxime Ducharme (Oct 01)
- RE: Unusual volume: UDP:137 probes Jeremy Junginger (Oct 02)
- RE: Unusual volume: UDP:137 probes Sam Campbell (Oct 08)