On Tue, Oct 01, 2002 at 06:45:22PM +0200, Axel Pettinger wrote:
| Yesterday morning I sent a file (name: SCRSVR.EXE) into various anti
| virus labs and asked them to confirm my suspicion that it was a new
| open share worm. Since this morning my suspicion is confirmed. I think
| that it is related with the reports of "unusually high volumes of
| UDP:137 probes". It's the same malicious program Mark Forsyth has
| already mentioned.

It looks as though it can be distinguished from legitimate NetBIOS
traffic. Normal udp/137 will have 137 as the source and destination
(for file shares, anyway). This worm uses an arbitrary 1024+ source port.

-James

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]