lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 31 Aug 2006 07:31:12 -0400
From: David Taylor <ltr@....upenn.edu>
To: "Geo." <geoincidents@....net>,
	<full-disclosure@...ts.grok.org.uk>
Cc: 
Subject: Re: NT4 worm

The SANS Internet Storm Center is reporting a large increase in port 139
scans. Not much information on the spike yet.

<http://isc.sans.org/diary.php?storyid=1654>


On 8/30/06 10:08 AM, "Geo." <geoincidents@....net> wrote:

> Has anyone seen a writeup on this new NT4 worm that's spreading via port 139
> MS06-040 yet? I'm seeing customers getting hit by it but I haven't seen any
> real mention of it anywhere yet. It appears to run two CMD.EXE hidden
> windows and sucks up all the cpu in the infected systems trying to spread.
> I've also seen one customer who found csrsc.exe on the machine after the
> worm hit them.
> 
> I did manage to find out once it exploits a machine it uses ftp.exe to
> connect back to the infecting host and transfer something but I've not had
> time to really dig into this thing. Hoping someone else has already. Looks
> like it's spreading pretty quick
> 
> http://isc.incidents.org/port_details.php?port=139&repax=1&tarax=2&srcax=2&p
> ercent=N&days=40
> 
> 
> Geo.
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


==================================================
David Taylor //Sr. Information Security Specialist
University of Pennsylvania Information Security
Philadelphia PA USA
(215) 898-1236
http://www.upenn.edu/computing/security/
==================================================

Penn Information Security RSS feed
http://www.upenn.edu/computing/security/rss/rssfeed.xml
Add link to your favorite RSS reader



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ