Port TCP/IP 445

From: Benn Wolff (Benn_Wolff@REMOVEhotmail.com)
Date: 03/10/03

• Next message: Raymond Sinnappan [MS]: "Re: IPSec"
• Previous message: a: "ip"
• Next in thread: Benn Wolff: "Re: Port TCP/IP 445"
• Reply: Benn Wolff: "Re: Port TCP/IP 445"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Benn Wolff" <Benn_Wolff@REMOVEhotmail.com>
Date: Mon, 10 Mar 2003 00:33:13 -0800

Copy & pasted from ntbugtraq news list
*********************************
Our Director of Malcode Research, Roger Thompson, has been monitoring
the rapid increase in activity of the W32/Deloder worm;

http://www.wormwatch.org
(Note: We're looking for someone in each country to run WormCatcher,
drop me a note if you're interested and outside of North America)

This worm, similar to previous worms on TCP445, spreads via network
shares. Most corporate environments should be protected because they are
not allowing untrusted connections into their network, however, he's
identified a couple of scenarios where this may happen.

1. Machines connected to raw Internet connections when out of the
corporate environment, either at home or while traveling, which are then
brought back into the corporate network.

2. Machines which use VPN connections into the corporate network but are
not properly protected from the raw Internet.

Update your AV definitions and ensure such machines receive appropriate
protection, as in Personal Firewalls and active AV.

http://vil.nai.com/vil/content/v_100127.htm
http://www.Europe.F-Secure.com/v-descs/deloader.shtml
http://www.sarc.com/avcenter/venc/data/w32.hllw.deloder.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_DEL
ODER.A
http://www.sophos.com/virusinfo/analyses/w32delodera.html

Cheers,
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Have you discovered a security vulnerability related to Windows or a
commercial product which runs on Windows?

Need assistance crafting the format or translating your advisory to English?

Need to verify it, or having problems contacting the Vendor?

Contact mailto:Advisories@NTBugtraq.com

• Next message: Raymond Sinnappan [MS]: "Re: IPSec"
• Previous message: a: "ip"
• Next in thread: Benn Wolff: "Re: Port TCP/IP 445"
• Reply: Benn Wolff: "Re: Port TCP/IP 445"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Alert: New Worm - W32/Deloder on TCP445 ... This worm, similar to previous worms on TCP445, spreads via network ... Machines connected to raw Internet connections when out of the ... Machines which use VPN connections into the corporate network but are ... (NT-Bugtraq) RE: DoS worm ... From your description your six machines are now compromised by a random ... some capture logs of the SSH connections, the SYN flooding and the SMB ... Subject: DoS worm ... which I was able to pick out the string "IPC". ... (Incidents) Re: Port TCP/IP 445 ... Most corporate environments should be protected because they are ... Machines connected to raw Internet connections when out of the ... Machines which use VPN connections into the corporate network but are ... (microsoft.public.win2000.security) CERT Advisory CA-2001-20 ... in compromises of home user machines. ... to date with security patches and workarounds, ... worm after it has infected a victim system. ... used to initially compromise the machine may not be enough. ... (Cert) Re: [Full-disclosure] RE: Bening Worms (Cosmin Stejerean) ... with a worm or virus label on it is unacceptable, ... >>Blast on their networks especially from laptop machines that were infected. ... > posed a risk to the rest of their network BUT the Stanford IT folk had ... (Full-Disclosure)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint