Security Incidents mailing list archives
RE: TCP 445 Scan?
From: <kyle () kylelai com>
Date: Thu, 6 Mar 2003 16:14:43 -0500
Just a note on the port 445 type of worm/Trojans; they may or may not have a mIRC component. mIRC version of worm/Trojan is more popular though. I remember the Lioten (Iraq_oil) worm, which used port 445 with 100 thread when doing the scanning and spreading. It used the "guessable users" and "password dictionary" list, which is similar to the mIRC versions. More information can be found at http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.lioten.html I have seen close to a dozen ocxdll.exe/taskmngr.exe/task32.exe type of worm/Trojan variants, and I have compiled a list of files that might represent worm/Trojan infections. This list is by no mean complete because new variants come out quite often, and the authors just renamed the files and spread the worm/Trojan again. You can find the worm/Trojan file list at http://www.klcconsulting.net/mirc_virus_analysis.htm There is one version of mIRC variant that included PStor.EXE file. This is a program to steal username and passwords stored via pstorec.dll, which include some IE and Web Outlook. PStor.EXE is actually the program pStoreReader, and you can find the .exe and source code at http://intex.ath.cx. I first saw this variant in 10/23/2002, and it has surfaced again. Cheers, /Kyle Kyle Lai, CISSP, CISA KLC Consulting, Inc. 617-921-5410 klai () klcconsulting net www.klcconsulting.net -----Original Message----- From: Johannes Ullrich [mailto:jullrich () euclidian com] Sent: Wednesday, March 05, 2003 7:17 PM To: Brian McWilliams Cc: fixer () gci net; incidents () securityfocus com Subject: Re: TCP 445 Scan? Very likely the new worm. Like most of these "IRC animals", they are used to scan particular netblocks. So the impact is focused and less global compared to regular worms. On Tue, 04 Mar 2003 14:59:33 -0500 Brian McWilliams <brian () pc-radio com> wrote:
http://www.viruslist.com/eng/viruslist.html?id=59741 Worm.Win32.Randon Randon is a Virus-Worm distributed via IRC-channels and LANs with shared resources.
--
--------------------------------------------------------------------
jullrich () euclidian com Collaborative Intrusion Detection
join http://www.dshield.org
----------------------------------------------------------------------------
<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";>
http://www.securityfocus.com/stillsecure </A>
---
Incoming mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.459 / Virus Database: 258 - Release Date: 2/25/2003
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.459 / Virus Database: 258 - Release Date: 2/25/2003
----------------------------------------------------------------------------
<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>
Current thread:
- TCP 445 Scan? Charles Hamby (Mar 04)
- Re: TCP 445 Scan? Adam Bultman (Mar 04)
- Re: TCP 445 Scan? H C (Mar 04)
- RE: TCP 445 Scan? Charles Hamby (Mar 05)
- Re: TCP 445 Scan? Bill McCarty (Mar 04)
- RE: TCP 445 Scan? kyle (Mar 04)
- RE: TCP 445 Scan? Frank Knobbe (Mar 05)
- RE: TCP 445 Scan? kyle (Mar 05)
- RE: TCP 445 Scan? Frank Knobbe (Mar 05)
- Re: TCP 445 Scan? Brian McWilliams (Mar 05)
- Re: TCP 445 Scan? Johannes Ullrich (Mar 06)
- RE: TCP 445 Scan? kyle (Mar 06)
- Re: TCP 445 Scan? Johannes Ullrich (Mar 06)
- <Possible follow-ups>
- Re: TCP 445 Scan? Tom_Staskiewicz (Mar 04)
- SV: TCP 445 Scan? Peter Kruse (Mar 05)
- RE: TCP 445 Scan? Lee_Fisher (Mar 04)
- RE: TCP 445 Scan? Thompson, Jason (Mar 06)