Need help - Trying to capture a possible windows/SMB worm
Ronald F. Guilmette
rfg at monkeys.com
Sat Sep 30 23:13:44 GMT 2000
In message <NEBBJKAJOKGPOMDPHGEAGEOJCDAA.david at solutionsfirst.net>, you wrote:
>> Recently, in my firewall logs for my FreeBSd system here, I have
>> picked up what I believe to be unmistakable signs of some sort of
>> Windows/SMB worm that has been trying to get into my (close) port 139
>> from many different IP addresses within my same /16 IP address block.
>
>Such worms exist.
>This is an example of one of them:
>http://www.symantec.com/avcenter/venc/data/w32.hllw.qaz.a.html
>and worm explore.zip does the same thing
>http://www.symantec.com/ns-search/sarc/avcenter/graphics/worm.explore.zip.ht
>ml?NS-search-set=/39d65/aaa04uJ5xd65b81&NS-doc-offset=7&
>
>Are you trying to discover this worm?
Yes. Up until your letter, I believed that I was perhaps seeing some
brand new thing, and I wanted to do my civic duty (and be a hero) and
capture the thing and turn it over the proper authorities. But...
> Or curious to see what its doing.
>The w22.hllw worm also probes port 7597 so maybe you could look for that as
>well and then you would know what worm you have.
Bingo! I just tried telnetting to port 7597 on all seven of the machines
that poked at my port 139 yesterday, and four of the seven have something
listening for connects (and printing a colon) at port 7597. (The ones
that didn't respond may be powered down now or else they got disinfected
already.)
So it looks like the worm that I suspected was trying to get at me does in
fact exist and it looks like it is this W32.HLLW.Qaz.A thing that is
documented on the Symantic site. Holy macrel! With the increasing number
of clue-deprived newbies getting DSL and cablemodem lines, I can see why
this thing might spread really fast.
More information about the samba
mailing list