Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Netbios Name Scans/opaserv worm

From: H C <keydet89 () yahoo com>
Date: Thu, 6 Feb 2003 14:02:50 -0800 (PST)
 

Is there any legitimate reason for these types of
random netbios name
scans, or any netbios name scan for that matter?


Hhhhmmmm...a traffic capture might be something to do.
 Or, when the traffic occurs, run fport on the system
to see which process is using the source port...


Also, does anyone know if
there is any way to remotely detect this worm on a
machine without running a local virus scan?


Well, depending on the variant, it should be pretty
easy to do:
http://www.sarc.com/avcenter/venc/data/w32.opaserv.worm.html
Seems all you have to do is scan for the files on the
root of the drive, or even easier is the Registry key.
 I run monthly scans to check the ubiquitous Run key,
as well as others...using Perl, of course.


__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: