Conclusion: TCP port 139 probes

From: Pavel Kankovsky (peak@argo.troja.mff.cuni.cz)
Date: 07/12/02 

Date: Fri, 12 Jul 2002 14:47:59 +0200 (MET DST)
From: Pavel Kankovsky <peak@argo.troja.mff.cuni.cz>
To: incidents@securityfocus.com

I have found the following files in c:\windows on multiple machines
probing port 139/tcp on addresses in my network (and having publicly
accessible shares (*)):

        MSVXD.EXE (58368 bytes)
        MSVXD16.DLL (54784 bytes)
        MSVXD32.DLL (81408 bytes)

According to http://www.sarc.com/avcenter/venc/data/w32.datom.worm.html,
these files indicate the presence of a worm called "Datom" that spreads
via publicly writeable shares.

Thanks to H C <keydet89@yahoo.com> who told me about the worm.

(*) Yes, I know I am not authorized to access disks of random braindead
lusers who share them without any kind protection. But I need 5 minutes
to examine such a disk while I'd need much longer to build a half-decent
honeypot. Anyway, those lusers should be happy I did not erase any of
their precious files just to teach them it is a bad idea to leave
them unprotected. Yes, I am evil.

--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com