|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Ryan Russell (ryan_at_securityfocus.com)
Date: Fri Jul 12 2002 - 18:08:40 CDT
On Wed, 10 Jul 2002, Pavel Kankovsky wrote:
> winhlp32.exe A 317440 Fri Jul 5 15:43:08 2002
> notepad.exe A 317440 Fri Jul 5 15:43:08 2002
> control.exe A 317440 Fri Jul 5 15:43:08 2002
> scanregw.exe A 317440 Fri Jul 5 15:43:08 2002
> ifnhlp.sys A 317440 Tue Jul 9 22:20:00 2002
> scanregw.exe A 317440 Fri Jul 5 15:43:40 2002
> loadpe.com A 317440 Fri Jul 5 15:43:40 2002
> msiexec.exe A 317440 Fri Jul 5 15:43:08 2002
> wf2k.exe A 317440 Fri Jul 5 15:43:40 2002
Pavel provided me some samples off-list. The ones shown here are
identified as Stator by the f-prot DOS scanner.
mm.html">http://securityresponse.symantec.com/avcenter/venc/data/w32.stator
mm.html
A few other files (not shown in this note) are Datom:
http://securityresponse.symantec.com/avcenter/venc/data/w32.datom.worm.html
Datom scans for open shares, so that's the port 139 traffic. The Symantec
description of the Stator worm says it's a mass-mailer, so I'm not sure
how that relates, or why they are there. The filenames match, though.
Ryan
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]