Full Disclosure mailing list archives
Re:Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127
From: "Ian Latter" <Ian.Latter () mq edu au>
Date: Sat, 24 Apr 2004 11:04:51 +1000
We saw this a week+ ago ... I'm pretty sure the support peeps found that this was a recent Netsky variant (V?) .. not sure. It was just a bit too new for the Virus scanner at that time. ----- Original Message -----
From: "Willem Koenings" <isec () europe com> To: <full-disclosure () lists netsys com> Subject: [Full-disclosure] Re: Outbreak of a virus on campus, scanning tcp
80/6129/1025/3127
Date: Fri, 23 Apr 2004 10:38:23 -0500Sound familiar to anyone?Today catched worm wmiprvsw.exe. This worm incorporates stealth capabilities - it hides it's process in memory and also it's exe is not seen in directory listing, when worm is active. Although it does not hide registry entries, it shuts down regedit, when regedit is executed. It creates two registry entries 'System Updater Service' under Run and RunServices. Then it starts scan following ports : 2745 135 1025 445 3127 6129 139 3140 Thats all for now - weekend :) W. -- ___________________________________________________________ Sign-up for Ads Free at Mail.com http://promo.mail.com/adsfreejump.htm _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
-- Ian Latter Internet and Networking Security Officer Macquarie University _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Honza Vlach (Apr 22)
- <Possible follow-ups>
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Tomokazu Suzuki (Apr 23)
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Joe Stewart (Apr 23)
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Willem Koenings (Apr 23)
- Re:Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Ian Latter (Apr 23)