RE: new/old port 135 scans?

["DeGennaro, Gregory" <Gregory_DeGennaro () csaa com>]

Nachi,

Was also supposed to end;

Self removal 
When the system clock reaches Jan 1, 2004, the worm will delete itself upon
execution

My guess it did not, we have bad CMOS batteries out there, or all of this
traffic is msblast or blaster.  Or perhaps, a new one?

Regards,

Greg DeGennaro Jr., CCNP


-----Original Message-----
From: Brian Eckman [mailto:eckman () umn edu] 
Sent: Wednesday, January 14, 2004 9:02 AM
To: Brian Collins
Cc: incidents () securityfocus com
Subject: Re: new/old port 135 scans?

Brian Collins wrote:
> Tonight we're seeing a significant increase in scans on tcp/135.  
> Customers are sending roughly 20 packets to several incremental IPs in a 
> class C, waiting 2 seconds, sending roughly 20 more, etc.  I was under 
> the impression that Blaster/Nachi was programmed to cease as of 1/1/04 
> (of course, I could be wrong about that).    I'll try to have some 
> packets available in a little while.  In the meantime, has anyone else 
> noticed an increase?

That is exactly what Blaster does. It has not ceased, and probably won't 
for years. There should be an increase in it, as it no longer has Nachi 
trying to eradicate it.

Brian

-- 
Brian Eckman
Security Analyst
OIT Security and Assurance
University of Minnesota


"There are 10 types of people in this world. Those who
understand binary and those who don't."


---------------------------------------------------------------------------
----------------------------------------------------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------