Full Disclosure mailing list archives
Re: Outbreak of a virus on campus
From: "RMueller" <mueller () fidnet com>
Date: Sat, 24 Apr 2004 09:46:09 -0500
.
Message: 8 From: "Willem Koenings" <isec () europe com> To: full-disclosure () lists netsys com Date: Fri, 23 Apr 2004 10:38:23 -0500 Subject: [Full-disclosure] Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127
Sound familiar to anyone?
Today catched worm wmiprvsw.exe. This worm incorporates stealth capabilities - it hides it's process in memory and also it's exe is not seen in directory listing, when worm is active. Although it does not hide registry entries, it shuts down regedit, when regedit is executed. It creates two registry entries 'System Updater Service' under Run and RunServices. Then it starts scan following ports : 2745 135 1025 445 3127 6129 139 3140 Thats all for now - weekend :) W. --
..
Oh great, leave me hanging till Monday. thank you Randall M
Current thread:
- Re: Outbreak of a virus on campus RMueller (Apr 24)
- <Possible follow-ups>
- RE: Re: Outbreak of a virus on campus Morning Wood (Apr 24)
- RE: Re: Outbreak of a virus on campus Willem Koenings (Apr 24)
- RE: Re: Outbreak of a virus on campus David Hale (Apr 25)
- RE: Re: Outbreak of a virus on campus David Hale (Apr 25)
- RE: Re: Outbreak of a virus on campus David Hale (Apr 25)