[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] NT4 worm

The SANS Internet Storm Center is reporting a large increase in port 139
scans. Not much information on the spike yet.

<http://isc.sans.org/diary.php?storyid=1654>


On 8/30/06 10:08 AM, "Geo." <geoincidents@xxxxxxx> wrote:

> Has anyone seen a writeup on this new NT4 worm that's spreading via port 139
> MS06-040 yet? I'm seeing customers getting hit by it but I haven't seen any
> real mention of it anywhere yet. It appears to run two CMD.EXE hidden
> windows and sucks up all the cpu in the infected systems trying to spread.
> I've also seen one customer who found csrsc.exe on the machine after the
> worm hit them.
> 
> I did manage to find out once it exploits a machine it uses ftp.exe to
> connect back to the infecting host and transfer something but I've not had
> time to really dig into this thing. Hoping someone else has already. Looks
> like it's spreading pretty quick
> 
> http://isc.incidents.org/port_details.php?port=139&repax=1&tarax=2&srcax=2&p
> ercent=N&days=40
> 
> 
> Geo.
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/


==================================================
David Taylor //Sr. Information Security Specialist
University of Pennsylvania Information Security
Philadelphia PA USA
(215) 898-1236
http://www.upenn.edu/computing/security/
==================================================

Penn Information Security RSS feed
http://www.upenn.edu/computing/security/rss/rssfeed.xml
Add link to your favorite RSS reader



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/