Re: portscan destination port 137

[Axel Pettinger <api () epost de>]

Security Admin wrote:
> I've seen these regularly over the past couple of weeks. Dshield.org 
> is reporting its top attacking IP is scanning port 137. And 
> incidents.org has the following...
> http://isc.incidents.org/port_details.html?port=137
>
> We now believe that these port 137 scans are due to the 'Bugbear'
> mass mailing virus and the 'Scrup' worm.

No, "Bugbear" is not and cannot be the source as it only enumerates
local network resources to find open shares.

> Scrup:
> http://vil.mcafee.com/dispVirus.asp?virus_k=99729
http://www.sophos.com/virusinfo/analyses/w32opaserva.html
http://www.Europe.F-Secure.com/v-descs/opasoft.shtml

"Scrup", now better known as the "Opaserv" worm is probably responsible
for the majority of port 137 scans. Several variants exist. It's an
aggressive spreader which attacks Win9x/ME machines which have open
shares or are vulnerable for the "Share Level Password" vulnerability
(MS00-072).

Regards,
Axel Pettinger


-------------------------------------------------------
This sf.net email is sponsored by: To learn the basics of securing 
your web site with SSL, click here to get a FREE TRIAL of a Thawte 
Server Certificate: http://www.gothawte.com/rd524.html
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users