lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <C763C2755B546145B7405C5C98030366411AF3@PCHLI-VMAIL.PCHLI.COM>
Date: Thu, 29 Apr 2004 11:09:14 -0700
From: "Jodrell Dimaculangan" <jodrell@...li.com>
To: "Tony Abell" <TonAbe@...tool.com>, <bugtraq@...urityfocus.com>
Subject: RE:  New Worm??? - High level of activity on port 445


This maybe a clue,

There was a new variant of the AGOBOT worm that we "uncovered".  
In Safe Mode run regedt32
goto\HKLM\software\Microsoft\Windows\CurrentVersion\Run and RunServices
Look for any Symantec entries (it will look official but since we do not
use Symantec NAV, it brought up red flags).  Delete.

In CLI, go to Winnt\System32
Search for a navpaw32.exe or a navpxaw32.exe
Remove all permission to prevent this file from being run

Restart PC.  On your firewall check for port scanning.  This worm will
attempt to propagate.

Hope this helps.

BTW...Trend Micro release a new pattern because of us.


Jodrell P. Dimaculangan 
Manager - Technical Support Group
People's Choice 
Home Loan, Inc. 
Helpdesk: 949-341-2035 
Phone:    949-341-2009 
Fax:        949-341-5440 
< <mailto:helpdesk@...li.com>> 
< <mailto:Jodrell@...li.com>> 

CONFIDENTIALITY AND DISCLAIMER NOTICE 
This e-mail is intended only for the addressee named above and the
contents should not be disclosed to any other person nor copies taken.
As Internet communications are not secure we do not accept legal
responsibility for the contents of this message nor responsibility for
any change made to this message after the original sender sent it. We
advise you to carry out your own virus check before opening any
attachment, as we cannot accept liability for any damage sustained as a
result of any software viruses. If you have received this e-mail in
error, please notify us immediately by replying to this email or by
calling our technical support department 949-341-2035.


-----Original Message-----
From: Tony Abell [mailto:TonAbe@...tool.com] 
Sent: Thursday, April 29, 2004 9:45 AM
To: 'bugtraq@...urityfocus.com'
Subject: New Worm??? - High level of activity on port 445

Since late yesterday 4/28/04 afternoon around 4pm our firewall started
throwing alarms on netprobes. We are seeing a large amount of probes
coming from one machine that is probing random IPs on port 445. The
source port is random as well. We traced it back to a Japanese Win2K
machine w/SP4 installed. No idea if it's fully patched or not, I have no
desire to put it back on my network to patch it until I get this figured
out. I scanned the machine in safe mode as well as booting normally
using SAV 8.1 with 4/28/04 Rev 38 defs and came up with nothing.

Is anyone else seeing anything like this? 

Tony Abell
Network Administrator
OSG Tap & Die





Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ