I have found the following files in c:\windows on multiple machines
probing port 139/tcp on addresses in my network (and having publicly
accessible shares (*)):

        MSVXD.EXE (58368 bytes)
        MSVXD16.DLL (54784 bytes)
        MSVXD32.DLL (81408 bytes)

According to http://www.sarc.com/avcenter/venc/data/w32.datom.worm.html,
these files indicate the presence of a worm called "Datom" that spreads
via publicly writeable shares.

Thanks to H C <keydet89yahoo.com> who told me about the worm.

(*) Yes, I know I am not authorized to access disks of random braindead
lusers who share them without any kind protection. But I need 5 minutes
to examine such a disk while I'd need much longer to build a half-decent
honeypot. Anyway, those lusers should be happy I did not erase any of
their precious files just to teach them it is a bad idea to leave
them unprotected. Yes, I am evil.

--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]