Need help - Trying to capture a possible windows/SMB worm
Dave Kempe
david at solutionsfirst.net
Sat Sep 30 22:39:22 GMT 2000
> Recently, in my firewall logs for my FreeBSd system here, I have
> picked up what I believe to be unmistakable signs of some sort of
> Windows/SMB worm that has been trying to get into my (close) port 139
> from many different IP addresses within my same /16 IP address block.
Such worms exist.
This is an example of one of them:
http://www.symantec.com/avcenter/venc/data/w32.hllw.qaz.a.html
and worm explore.zip does the same thing
http://www.symantec.com/ns-search/sarc/avcenter/graphics/worm.explore.zip.ht
ml?NS-search-set=/39d65/aaa04uJ5xd65b81&NS-doc-offset=7&
Are you trying to discover this worm? Or curious to see what its doing.
The w22.hllw worm also probes port 7597 so maybe you could look for that as
well and then you would know what worm you have.
I'm also sure that if you search for other network share based worms then
you will find them, I can think of another few at least. - Loveletter
searched across the network for shares named 'c' i think. no maybe that was
something else, but still they exist.
Most likely however, they are windows machine broadcasting to find the
browse list.
On old win95 machines, as soon as you click entire network it would chuck
broadcasts out every interface :( I'm sure other machine would do it esp if
the internet int was their only interface.
Hope that helps,
Dave
More information about the samba
mailing list