Hosting Provided By

Odd Shares showing up on workstations

From: J Jewitt <jjewitt2001(at)yahoo.com>
Date: Thu Jan 16 2003 - 11:02:11 EST

I'm seeing some strange activity, maybe someone can help.

Windows 2000 workstations (the norm here) are getting their C and D drives shared, full control to everyone.

The systems have current antivirus.

The odd thing is the sharenames. She share name is the drive letter --C or D-- with a computer name of a DIFFERENT computer in our enterprise appended. The problem spans at least two domains that we have seen.

These systems are all on a private network with a well-run firewall ruleset.

So if you look at a system showing these characteristics, you'll see a list of shares that look like:

|-|VICTIM
|+|CSYSTEMNAME1
|+|CSYSTEMNAME2
|+|DSYSTEMNAME1
|+|DSYSTEMNAME2
So far, it appears it may be an admin script gone awry, but no one has admitted to it. So, if anyone has seen a worm like this please let me know.

      thanks in advance,
           J Jewitt


__________________________________________________

Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Tue Jan 21 17:14:42 2003

Do you need help?

This message: [ Message body ]
Next message: Scott Phelps: "RE: IRC -> smtp worm?"
Previous message: John Washington: "Re: Curious "spam" (or broken viral payload)..."
Next in thread: H C: "Re: Odd Shares showing up on workstations"
Reply: H C: "Re: Odd Shares showing up on workstations"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:56 EDT