I have found the following files in c:\windows on multiple machines probing port 139/tcp on addresses in my network (and having publicly accessible shares (*)): MSVXD.EXE (58368 bytes) MSVXD16.DLL (54784 bytes) MSVXD32.DLL (81408 bytes) According to http://www.sarc.com/avcenter/venc/data/w32.datom.worm.html, these files indicate the presence of a worm called "Datom" that spreads via publicly writeable shares. Thanks to H C <keydet89at_private> who told me about the worm. (*) Yes, I know I am not authorized to access disks of random braindead lusers who share them without any kind protection. But I need 5 minutes to examine such a disk while I'd need much longer to build a half-decent honeypot. Anyway, those lusers should be happy I did not erase any of their precious files just to teach them it is a bad idea to leave them unprotected. Yes, I am evil. --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation." ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jul 12 2002 - 15:23:35 PDT