Security Incidents mailing list archives
FW: Lioten Worm 135-139 and 445
From: "Pricher Jeffrey Contr AFCA/GCF" <jeffrey.pricher () scott af mil>
Date: Tue, 17 Dec 2002 11:43:33 -0600
This came from the incidents.org list this am. Figured I'd pass it along since I've seen some discussion about port 445 probes come up lately. J. Pricher -----Original Message----- From: James C Slora Jr [mailto:Jim.Slora () phra com] Sent: Tuesday, December 17, 2002 8:45 AM To: intrusions () incidents org Subject: Lioten Worm 135-139 and 445 Incidents.org reports the Lioten worm as active. AV vendor sites report its existence but show no infections. It spreads on NT/W2K through TCP and UDP on ports 135-139 and 445 - through NetBIOS. It uses short brute force password attacks on all enumerated users found during a null session probe, and installs itself as %system%\Iraq_oil.exe. Has anyone seen this worm in the wild? Any packet captures? http://www.sarc.com/avcenter/venc/data/w32.hllw.lioten.html (signature not released yet) http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_LIOTEN. A (signature released) http://vil.nai.com/vil/content/v_99897.htm (signature not released yet) ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- FW: Lioten Worm 135-139 and 445 Pricher Jeffrey Contr AFCA/GCF (Dec 17)