lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
From: Ian.Latter at mq.edu.au (Ian Latter)
Subject: Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127

We saw this a week+ ago ... I'm pretty sure the support peeps found that
this was a recent Netsky variant (V?) .. not sure.  It was just a bit too 
new for the Virus scanner at that time.



----- Original Message -----
>From: "Willem Koenings" <isec@...ope.com>
>To: <full-disclosure@...ts.netsys.com>
>Subject:  [Full-Disclosure] Re: Outbreak of a virus on campus, scanning tcp 
80/6129/1025/3127
>Date: Fri, 23 Apr 2004 10:38:23 -0500
>
> 
> > Sound familiar to anyone?
> 
> Today catched worm wmiprvsw.exe. This worm incorporates
> stealth capabilities - it hides it's process in memory and
> also it's exe is not seen in directory listing, when worm
> is active. Although it does not hide registry entries, it
> shuts down regedit, when regedit is executed.  It creates
> two registry entries 'System Updater Service' under Run
> and RunServices.
> 
> Then it starts scan following ports :
> 
> 2745
> 135
> 1025
> 445
> 3127
> 6129
> 139
> 3140
> 
> Thats all for now - weekend :)
> 
> W.
> -- 
> ___________________________________________________________
> Sign-up for Ads Free at Mail.com
> http://promo.mail.com/adsfreejump.htm
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 

--
Ian Latter
Internet and Networking Security Officer
Macquarie University


Powered by blists - more mailing lists