Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > incidents > 02 > 120271.html (Request Expert securityfocus.com Support)

Re: Worm on 445/tcp?

From: <Tom.Gast(at)walgreens.com>
Date: Tue Dec 17 2002 - 14:52:55 EST


I don't believe Windows XP is going to be effected by this worm, due to the fact null is disabled by default.

  • - Tom G.

Scott Fendley <scottf@uark.edu>
12/17/2002 11:24 AM   

        To:     "Scott A.McIntyre" , incidents@securityfocus.com
        cc: 
        Subject:        Re: Worm on 445/tcp?

I think what you are seeing is the newest worm to come out called LIOTEN or
Iraqi Oil worm. It appears that it is only infecting windows 2k/XP servers
via SMB connections. There appears to be a lot of details amongst the following URLs which can do a better job describing this worm then I could. --Scott 

http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.lioten.htmlhttp://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_LIOTEN.Ahttp://vil.mcafee.com/dispVirus.asp?virus_k=99897http://www.mynetwatchman.com/kb/security/articles/iraqiworm/index.htmhttp://www.unixwiz.net/iraqworm/

At 08:56 AM 12/17/2002 +0100, Scott A.McIntyre wrote:
>Over the past two weeks or so I've been noticing a steady rise in what
first
>I thought a variation of OpaServ, and that hasn't been fully ruled out,
>but I'm not quite convinced of that either. Anyone have any clues that
>might help pin this down further?
>
>An infected machine seems to send the following:
>
>1095 114.002629 src -> dst SMB Negotiate Protocol Request
>1105 114.363458 src -> dst SMB Session Setup AndX Request
>1106 114.774364 src -> dst SMB Session Setup AndX Request
>1107 115.168792 src -> dst SMB Tree Connect AndX Request,Path:
\\dst\IPC$
>1110 115.330792 src -> dst SMB NT Create AndX Request, Path: \samr

>segments.
>
>I've noticed others reporting similar increase in traffic, but so far
>haven't seen a definitive acknowledgment of precisely what it is that's
>responsible.
>
>Any pointers gratefully accepted.
>
>
>
>
>---------------------------------------------------------------------------- 

---
Scott Fendley                           scottf@uark.edu
Systems/Security Analyst                (479) 575-2022
University of Arkansas                  (479) 575-4753 fax



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: 
http://aris.securityfocus.com





----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: 
http://aris.securityfocus.com
Received on Tue Dec 17 15:35:16 2002

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:54 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library