Educause Security Discussion mailing list archives

Re: Worm activity/port 445

From: Kevin Pait <kevin.pait () UNCP EDU>
Date: Fri, 4 Feb 2005 15:21:30 -0500

We've been fighting this problem for the past two weeks.  It seems that the
virus we have been afflicted with is an unknown variant of the
W32/Sdbot.worm.  The variant we have drops a virus called Qhost which causes
pc's to redirect away from common anti-virus sites, windows updates, etc.
McAfee provided an extra.dat to try and combat the worm but it hasn't worked
well.  Their latest definition file has seemed to rid the virus from some
systems while others can't totally shake it.  It has been very time
consuming for our support staff as our only totally successful recourse has
been to format, reinstall, and apply updates totally offline.  Check traffic
on ports 135, 445, and 1025 - this is how we have identified afflicted pc's.
Affected machines are W2000 and XP - some having most of their updates and
latest virus definitions in place.  Good luck.


  _____

From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Craig Blaha
Sent: Friday, February 04, 2005 2:55 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Worm activity/port 445


We're seeing a lot of 445 scanning and an increasing rate of infection -
users complaining about a wide array of pop-ups, redirects and other spyware
type symptoms, slowing their systems to a crawl.

Anyone else seeing something similar?

Craig

--


Craig Blaha
Associate Director
Information Policy, Security and Web Development
The College of New Jersey
PO Box 7718
Ewing, NJ 08628
www.tcnj.edu

--------------------------------------------------------------
Reminder: E-mail sent through the Internet is not secure.
Do not use e-mail to send confidential information
such as credit card numbers, changes of address, PIN
numbers, passwords, or other important information.
Your e-mail message is not private in
that it is subject to review by the College, its officers,
agents and employees.
--------------------------------------------------------------
********** Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at
http://www.educause.edu/groups/.


**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.

Current thread:

Worm activity/port 445 Craig Blaha (Feb 04)
- <Possible follow-ups>
- Re: Worm activity/port 445 Matt Kirchhoff (Feb 04)
- Re: Worm activity/port 445 Kevin Pait (Feb 04)
- Re: Worm activity/port 445 Eric van Wiltenburg (Feb 04)
- Re: Worm activity/port 445 Gary Flynn (Feb 04)
- Re: Worm activity/port 445 Mark Wilson (Feb 04)
- Re: Worm activity/port 445 Peter Charbonneau (Feb 07)
- Re: Worm activity/port 445 Joseph Vieira (Feb 07)
- Re: Worm activity/port 445 Valdis Kletnieks (Feb 07)
- Re: Worm activity/port 445 Yantis, Jonathan Lindsey (Feb 07)
- Re: Worm activity/port 445 James Riden (Feb 07)