Need help - Trying to capture a possible windows/SMB worm

Dave Kempe david at
Sat Sep 30 22:39:22 GMT 2000

> Recently, in my firewall logs for my FreeBSd system here, I have
> picked up what I believe to be unmistakable signs of some sort of
> Windows/SMB worm that has been trying to get into my (close) port 139
> from many different IP addresses within my same /16 IP address block.

Such worms exist.
This is an example of one of them:
and worm does the same thing

Are you trying to discover this worm? Or curious to see what its doing.
The w22.hllw worm also probes port 7597 so maybe you could look for that as
well and then you would know what worm you have.
I'm also sure that if you search for other network share based worms then
you will find them, I can think of another few at least. - Loveletter
searched across the network for shares named 'c' i think. no maybe that was
something else, but still they exist.
Most likely however, they are windows machine broadcasting to find the
browse list.
On old win95 machines, as soon as you click entire network it would chuck
broadcasts out every interface :( I'm sure other machine would do it esp if
the internet int was their only interface.

Hope that helps,


More information about the samba mailing list