| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <200404241445.i3OEjs908649@netsys.com> From: mueller at fidnet.com (RMueller) Subject: Re: Outbreak of a virus on campus >>>>>>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>>>>>>>>>>. Message: 8 From: "Willem Koenings" <isec@...ope.com> To: full-disclosure@...ts.netsys.com Date: Fri, 23 Apr 2004 10:38:23 -0500 Subject: [Full-Disclosure] Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 > Sound familiar to anyone? Today catched worm wmiprvsw.exe. This worm incorporates stealth capabilities - it hides it's process in memory and also it's exe is not seen in directory listing, when worm is active. Although it does not hide registry entries, it shuts down regedit, when regedit is executed. It creates two registry entries 'System Updater Service' under Run and RunServices. Then it starts scan following ports : 2745 135 1025 445 3127 6129 139 3140 Thats all for now - weekend :) W. -- >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>.. >>>>>>>>>>>>>>>>>>>>>>>>>>> Oh great, leave me hanging till Monday. thank you Randall M -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040424/7058cf28/attachment.html
Powered by blists - more mailing lists