FW: Lioten Worm 135-139 and 445
From: Pricher Jeffrey Contr AFCA/GCF (jeffrey.pricher@scott.af.mil)
Date: 12/17/02
- Previous message: Oliver.C.Rochford CFH: "Re[2]: Rooted, .haos on system"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 17 Dec 2002 11:43:33 -0600 From: "Pricher Jeffrey Contr AFCA/GCF" <jeffrey.pricher@scott.af.mil> To: <incidents@securityfocus.com>
This came from the incidents.org list this am. Figured I'd pass it along since I've seen some discussion about port 445 probes come up lately.
J. Pricher
-----Original Message-----
From: James C Slora Jr [mailto:Jim.Slora@phra.com]
Sent: Tuesday, December 17, 2002 8:45 AM
To: intrusions@incidents.org
Subject: Lioten Worm 135-139 and 445
Incidents.org reports the Lioten worm as active. AV vendor sites report its
existence but show no infections. It spreads on NT/W2K through TCP and UDP
on ports 135-139 and 445 - through NetBIOS. It uses short brute force
password attacks on all enumerated users found during a null session probe,
and installs itself as %system%\Iraq_oil.exe.
Has anyone seen this worm in the wild? Any packet captures?
http://www.sarc.com/avcenter/venc/data/w32.hllw.lioten.html (signature not
released yet)
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_LIOTEN.
A (signature released)
http://vil.nai.com/vil/content/v_99897.htm (signature not released yet)
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Next message: dev: "Re: fswserv.html ????"
- Previous message: Oliver.C.Rochford CFH: "Re[2]: Rooted, .haos on system"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
