[Full-Disclosure] Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127

From: Willem Koenings (isec_at_europe.com)
Date: 04/23/04

  • Next message: advisories: "[Full-Disclosure] Potential Microsoft PCT worm (MS04-011)"
    To: full-disclosure@lists.netsys.com
    Date: Fri, 23 Apr 2004 10:38:23 -0500
    
    

    > Sound familiar to anyone?

    Today catched worm wmiprvsw.exe. This worm incorporates
    stealth capabilities - it hides it's process in memory and
    also it's exe is not seen in directory listing, when worm
    is active. Although it does not hide registry entries, it
    shuts down regedit, when regedit is executed. It creates
    two registry entries 'System Updater Service' under Run
    and RunServices.

    Then it starts scan following ports :

    2745
    135
    1025
    445
    3127
    6129
    139
    3140

    Thats all for now - weekend :)

    W.

    -- 
    ___________________________________________________________
    Sign-up for Ads Free at Mail.com
    http://promo.mail.com/adsfreejump.htm
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    

  • Next message: advisories: "[Full-Disclosure] Potential Microsoft PCT worm (MS04-011)"

    Relevant Pages

    • regedit and msconfig consoles disappear
      ... Don't think it is that virus in my case. ... regedit, it just aborts soon. ... dictionary on that specific worm -- couldn't find it ... >>When I start up regedit or msconfig, the console window ...
      (microsoft.public.windowsxp.security_admin)
    • Re:[Full-Disclosure] Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127
      ... this was a recent Netsky variant.. ... > Today catched worm wmiprvsw.exe. ... > shuts down regedit, when regedit is executed. ... > two registry entries 'System Updater Service' under Run ...
      (Full-Disclosure)
    • [Full-Disclosure] Re: Outbreak of a virus on campus
      ... Today catched worm wmiprvsw.exe. ... listing, when worm is active. ... Although it does not hide registry entries, ... shuts down regedit, when regedit is executed. ...
      (Full-Disclosure)
    • Win starts in 18 minutes!!!!! Please help me!
      ... a worm called sesser entered to my compter and I fixed it with regedit and console commands.. ... Please help me because I dont want to format drives and re-install windows again. ...
      (microsoft.public.windowsxp.help_and_support)
    • regedit failure
      ... Thanks so much for your feedback. ... worm and virus scan cleaned it. ... run 'regedit' it tells me that reinstalling it will fix ...
      (microsoft.public.security.virus)