On Wed, 10 Jul 2002, Pavel Kankovsky wrote: > winhlp32.exe A 317440 Fri Jul 5 15:43:08 2002 > notepad.exe A 317440 Fri Jul 5 15:43:08 2002 > control.exe A 317440 Fri Jul 5 15:43:08 2002 > scanregw.exe A 317440 Fri Jul 5 15:43:08 2002 > ifnhlp.sys A 317440 Tue Jul 9 22:20:00 2002 > scanregw.exe A 317440 Fri Jul 5 15:43:40 2002 > loadpe.com A 317440 Fri Jul 5 15:43:40 2002 > msiexec.exe A 317440 Fri Jul 5 15:43:08 2002 > wf2k.exe A 317440 Fri Jul 5 15:43:40 2002 Pavel provided me some samples off-list. The ones shown here are identified as Stator by the f-prot DOS scanner. http://securityresponse.symantec.com/avcenter/venc/data/w32.statorat_private A few other files (not shown in this note) are Datom: http://securityresponse.symantec.com/avcenter/venc/data/w32.datom.worm.html Datom scans for open shares, so that's the port 139 traffic. The Symantec description of the Stator worm says it's a mass-mailer, so I'm not sure how that relates, or why they are there. The filenames match, though. Ryan ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Jul 12 2002 - 16:48:32 PDT