[Full-Disclosure] Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127

From: Willem Koenings (isec_at_europe.com)
Date: 04/23/04

  • Next message: advisories: "[Full-Disclosure] Potential Microsoft PCT worm (MS04-011)"
    To: full-disclosure@lists.netsys.com
    Date: Fri, 23 Apr 2004 10:38:23 -0500
    
    

    > Sound familiar to anyone?

    Today catched worm wmiprvsw.exe. This worm incorporates
    stealth capabilities - it hides it's process in memory and
    also it's exe is not seen in directory listing, when worm
    is active. Although it does not hide registry entries, it
    shuts down regedit, when regedit is executed. It creates
    two registry entries 'System Updater Service' under Run
    and RunServices.

    Then it starts scan following ports :

    2745
    135
    1025
    445
    3127
    6129
    139
    3140

    Thats all for now - weekend :)

    W.

    -- 
    ___________________________________________________________
    Sign-up for Ads Free at Mail.com
    http://promo.mail.com/adsfreejump.htm
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    

  • Next message: advisories: "[Full-Disclosure] Potential Microsoft PCT worm (MS04-011)"