('binary' encoding is not supported, stored as-is) After I saw that you guys were getting more port 137's than usual, I looked at my logs. I found that I was also getting far more port 137's than usual :) so I took a break from what I was doing to see what was up. The remote port was almost always 1025, and the suspect only sent one attempt each time. I did the 10 second look on a suspect machine with an open share and found scrsvr.exe , which I believe to be the culprit, it seems so cut and dried that I'm not even gonna sandbox it. Read more here - http://vil.mcafee.com/dispVirus.asp?virus_k=99729 Well, there ya go, comes to life ~the 28th, bang boom zoom. All good things to all good people! ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Oct 01 2002 - 12:17:02 PDT