Re: IRAQ_OIL.EXE and Port 445 traffic

From: neo [mvp outlook] (neo@mvps.org)
Date: 12/16/02 

From: "neo [mvp outlook]" <neo@mvps.org>
Date: Mon, 16 Dec 2002 12:32:41 -0800

Do you know if this new thing has been submitted to vendors like Symantec,
CA, Trend, .etc?

"Philip Sloss" <stuff@lupwa.org> wrote in message
news:u7PXc4TpCHA.2360@TK2MSFTNGP12...
> "Tim Blizard" <timb@maxit.com.au> wrote in message
> news:b2508eb6.0212160754.19375523@posting.google.com...
> > To anyone who can help.
> >
> > On Saturday 14 December 2002 I noticed unexpected traffic on my
> > Internet modem. A trace showed large numbers of attempts by my server
> > to connect to other servers on port 445. I checked Task Manager and
> > found a process called IRAQ_OIL.EXE. When I killed this process, the
> > traffic stopped.
>
> It's a new worm:
> http://www.dslreports.com/forum/remark,5340211~root=security,1~mode=flat
>
> ...we're still analyzing it, but technical information should be available
> soon.
>
> > Until I'm sure that I have closed whatever vulnerability allowed this
> > file onto my server and can be sure that others are safe from me, I
> > have shutdown my Internet link.
>
> It's exploiting null session capabilities to get remote information, so
I'd
> suggest checking your local security policy. How strong are the passwords
> on your system's accounts?
>
> Philip Sloss
>

Relevant Pages

  • Re: RWW from one SBS site to another problem
    ... I can RWW to other sites too and yes IP is ... However site had their server rebooted as complaints the internet was slow ... Clients now mention every Friday the internet is slow. ... >> Technical Information ...
    (microsoft.public.windows.server.sbs)
  • Re: Urgent! New router and big disaster
    ... The SBS DNS server, running on ... its IP it means that your problem is now DNS. ... forward ports to it reliably in the router. ... I should have been more clear about internet connection.. ...
    (microsoft.public.windows.server.sbs)
  • Re: RWW Disconnecting
    ... I have been connected from a remote site for about 3 ... DHCP server and even a wireless access ... the key codes to for Internet access. ... Client Workstations} ...
    (microsoft.public.windows.server.sbs)
  • Re: EBS 2008 and e-mail issues
    ... the internal interface of the security server. ... If I forward to the Exchange server (yes I know I'm not ... rerunning the change security level wizard is not possible. ... customer here wants to exclude some users from internet. ...
    (microsoft.public.windows.server.sbs)
  • Re: Urgent! New router and big disaster
    ... I checked the binding order and the Server Local area connection is at the top. ... I should have been more clear about internet connection.. ... I wonder if I may have missed a firewall setting on the router as well. ...
    (microsoft.public.windows.server.sbs)