[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-Disclosure] Re: Outbreak of a virus on campus
- To: <full-disclosure@xxxxxxxxxxxxxxxx>
- Subject: [Full-Disclosure] Re: Outbreak of a virus on campus
- From: "RMueller" <mueller@xxxxxxxxxx>
- Date: Sat, 24 Apr 2004 09:46:09 -0500
>>>>>>>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>>>>>>>>>>>.
Message: 8
From: "Willem Koenings" <isec@xxxxxxxxxx>
To: full-disclosure@xxxxxxxxxxxxxxxx
Date: Fri, 23 Apr 2004 10:38:23 -0500
Subject: [Full-Disclosure] Re: Outbreak of a virus on campus, scanning tcp
80/6129/1025/3127
> Sound familiar to anyone?
Today catched worm wmiprvsw.exe. This worm incorporates stealth capabilities
- it hides it's process in memory and also it's exe is not seen in directory
listing, when worm is active. Although it does not hide registry entries, it
shuts down regedit, when regedit is executed. It creates two registry
entries 'System Updater Service' under Run and RunServices.
Then it starts scan following ports :
2745
135
1025
445
3127
6129
139
3140
Thats all for now - weekend :)
W.
--
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>..
>>>>>>>>>>>>>>>>>>>>>>>>>>>
Oh great, leave me hanging till Monday.
thank you
Randall M