Re: Worm activity/port 445

[Joseph Vieira <jvieira () CLARKU EDU>]

We have also been seeing a lot of this activity.

            Open port 113 (IRC auth port) -- random userid
            Propagation via, unprotected windows files shareing and lsass
etc. vulnerabilities
            I have also noticed UDP port 69 open and running tftp on a lot
of these machines
            Various other symptoms
Root kit's installed in %windir%/system32/drivers/etc
                        IRC server running on one machine

I port scan for TCP 113 and UDP 69 to identify potential infections, and
also watch for high volumes of traffic along port 6667


Joe Vieira
Desktop Security Analyst
Information Technology Services
Clark University
508.793.7287

-----Original Message-----
From: Kevin Pait [mailto:kevin.pait () UNCP EDU]
Sent: Friday, February 04, 2005 3:22 PM
Subject: Re: Worm activity/port 445

We've been fighting this problem for the past two weeks.  It seems that the
virus we have been afflicted with is an unknown variant of the
W32/Sdbot.worm.  The variant we have drops a virus called Qhost which causes
pc's to redirect away from common anti-virus sites, windows updates, etc.
McAfee provided an extra.dat to try and combat the worm but it hasn't worked
well.  Their latest definition file has seemed to rid the virus from some
systems while others can't totally shake it.  It has been very time
consuming for our support staff as our only totally successful recourse has
been to format, reinstall, and apply updates totally offline.  Check traffic
on ports 135, 445, and 1025 - this is how we have identified afflicted pc's.
Affected machines are W2000 and XP - some having most of their updates and
latest virus definitions in place.  Good luck.


  _____

From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Craig Blaha
Sent: Friday, February 04, 2005 2:55 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Worm activity/port 445
We're seeing a lot of 445 scanning and an increasing rate of infection -
users complaining about a wide array of pop-ups, redirects and other spyware
type symptoms, slowing their systems to a crawl.

Anyone else seeing something similar?

Craig
--
Craig Blaha
Associate Director
Information Policy, Security and Web Development
The College of New Jersey
PO Box 7718
Ewing, NJ 08628
www.tcnj.edu <http://www.tcnj.edu>
--------------------------------------------------------------
Reminder: E-mail sent through the Internet is not secure.
Do not use e-mail to send confidential information
such as credit card numbers, changes of address, PIN
numbers, passwords, or other important information.
Your e-mail message is not private in
that it is subject to review by the College, its officers,
agents and employees.
--------------------------------------------------------------
********** Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at
http://www.educause.edu/groups/.
********** Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at
http://www.educause.edu/groups/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.