Re: Worm never seen before

From: Cyber-Hun (th54_at_hotmail.com)
Date: 12/31/04 

Date: Fri, 31 Dec 2004 11:55:32 GMT

Seems this exploit needed the attack surface created by the service running
on port 445, this is why it's good to shut these services down in addition
to blocking to blocking the incoming port 445 traffuc with a router.
Especially if you're just running a standalone, home system that doesn't
need to talk to other domain members.
"I.L.B." <suricata_2@hotmail.com> wrote in message
news:cr0i45$nu2$1@nsnmpen2-gest.nuria.telefonica-data.net...
> Hi all ;
>
> I am just experiencing a strange kind of infection I don't know wether is
> a
> new worm or not, as I never seen it before. The situation is next:
>
> - I am running a computer with both Win98 and XP installed.
> - My Win98 session works OK
> - When I start an XP session, and I do activate my network connection... I
> start to see a very heavy traffic on the LEDs of my hub/router ADSL. The
> activity light is flickering like crazy... what happens??
> - I check the Status of the connection, and I see dozens of outbound
> packets
> per second, and almost nothing incoming. Strange...
> - I run NETSTAT to see what it happens. I see a LOT of outbound TCP
> connections as "SYN_SENT" from a series of ports from 3400 to 3600 and so
> on... no way to stop it !. All of these netstat entries end at some
> strange
> IPs at EPMAP port.
> - I run TaskManager, and I see a lot of started process of "SVCHOST" and
> "IEEXPLORE" (about 5 or 6 instances of each one started).
>
> I just checked for Sasser, Welchia worms, but the tools said I don't have
> these worms on my computer...
>
> Any ideas? Thanks !!
>
>
>

Relevant Pages

  • Re: Worm never seen before
    ... Seems this exploit needed the attack surface created by the service running ... to blocking to blocking the incoming port 445 traffuc with a router. ... > I am just experiencing a strange kind of infection I don't know wether is ... > these worms on my computer... ...
    (comp.security.firewalls)
  • Re: HELP REQUIRED - Strange Hacking Attempt!!!!
    ... I am running OnTrack NetDefense firewall and AtGuard. ... The strange thing is that NetDefense lists the ... > Remote Port: 67 ... > Could it simply be an Internet router or something harmless? ...
    (comp.security.firewalls)
  • Re: HELP REQUIRED - Strange Hacking Attempt!!!!
    ... It's not strange and it's not a hacking attempt. ... your firewall is catching and logging ... > Remote Port: 67 ... > Could it simply be an Internet router or something harmless? ...
    (comp.security.firewalls)
  • RE: Remote Desktop vs VPN on Windows 2003
    ... the security world, 90% of the security defense classes are built to defend ... default SQL port to anything else, they would have never been touched by ... You assume that the only things you need to worry about are automatic worms ... > I can think of NO reason not to use Remote Desktop. ...
    (Security-Basics)
  • Re: Virus in SCO?
    ... >indicate they have Sub7, netbus, trino and other worms. ... Does this SCO server have some kind of DOS/Windoze emulator running ... If IP port numbers, which ones? ... destined for the firewall or server. ...
    (comp.unix.sco.misc)
Loading