| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: Ian.Latter at mq.edu.au (Ian Latter) Subject: Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 We saw this a week+ ago ... I'm pretty sure the support peeps found that this was a recent Netsky variant (V?) .. not sure. It was just a bit too new for the Virus scanner at that time. ----- Original Message ----- >From: "Willem Koenings" <isec@...ope.com> >To: <full-disclosure@...ts.netsys.com> >Subject: [Full-Disclosure] Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 >Date: Fri, 23 Apr 2004 10:38:23 -0500 > > > > Sound familiar to anyone? > > Today catched worm wmiprvsw.exe. This worm incorporates > stealth capabilities - it hides it's process in memory and > also it's exe is not seen in directory listing, when worm > is active. Although it does not hide registry entries, it > shuts down regedit, when regedit is executed. It creates > two registry entries 'System Updater Service' under Run > and RunServices. > > Then it starts scan following ports : > > 2745 > 135 > 1025 > 445 > 3127 > 6129 > 139 > 3140 > > Thats all for now - weekend :) > > W. > -- > ___________________________________________________________ > Sign-up for Ads Free at Mail.com > http://promo.mail.com/adsfreejump.htm > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > -- Ian Latter Internet and Networking Security Officer Macquarie University
Powered by blists - more mailing lists