Re: Unusual volume: UDP:137 probes

From: Axel Pettinger (apiat_private)
Date: Tue Oct 01 2002 - 09:45:22 PDT

Next message: Philip: "W2K Compromise - PipeCmdSrv"

Previous message: Jean-Baptiste Marchand: "Re: IIS Using Port 1843"
Next in thread: James Sneeringer: "Re: Unusual volume: UDP:137 probes"
Reply: James Sneeringer: "Re: Unusual volume: UDP:137 probes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

John Sage wrote:
> 
> This has received some mention on the UNISOG list and elsewhere, but
> not here.
> 
> Some people have been seeing unusually high volumes of UDP:137 probes
> since about 09/27/02 late, or early 09/28/02.

Yesterday morning I sent a file (name: SCRSVR.EXE) into various anti 
virus labs and asked them to confirm my suspicion that it was a new
open share worm. Since this morning my suspicion is confirmed. I think
that it is related with the reports of "unusually high volumes of 
UDP:137 probes". It's the same malicious program Mark Forsyth has 
already mentioned.

Here's more info about that open share worm:

SCRSVR.EXE, identified as ("older" identifications included) ...

    CA Vet RESCUE              : Win32.Opaserv.A (trojan)
    Dialogue Science DrWebWCL  : Win32.HLLW.Opasoft
    ESET NOD32DOS              : Win32/Opaserv.A
    GeCAD RAVAV                : Win32/Opaserv.A.worm
    Ikarus PSCAN               : Worm.Psp.Opasoft.A
    Kaspersky Lab KAVDOS32     : Backdoor.Opasoft -> Worm.Win32.Opasoft.a
    McAfee SCANPM              : BackDoor-ALB -> W32/Scrup.worm -> W95/Scrup.worm
    Norman NVC                 : W32/Opaserv.A
    Panda Antivirus PAVCL      : Bck/Opasoft -> W32/Opaserv
    SOFTWIN BDDOSC             : Trojan.Omageneer.A -> Win32.Worm.Opaserv.A
    Sophos SWEEP               : W32/Opaserv-A
    Symantec NAV CE VSCAND     : W32.Opaserv.Worm
    Trend Micro VSCAN32        : BKDR_OPASOFT.A -> WORM_OPASOFT.A

Descriptions:
http://www.sarc.com/avcenter/venc/data/w32.opaserv.worm.html
http://www.sophos.com/virusinfo/analyses/w32opaserva.html
http://vil.nai.com/vil/content/v_99729.htm
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_OPASOFT.A
http://www3.ca.com/virusinfo/Virus.asp?ID=13234
http://www.europe.f-secure.com/v-descs/opasoft.shtml
http://www.kav.ch/avpve/worms/win32/opasoft.stm
http://www.norman.no/virus_info/w32_opaserv_a.shtml

Removal tool:
http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.worm.removal.tool.html

Regards,
Axel Pettinger

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Philip: "W2K Compromise - PipeCmdSrv"
Previous message: Jean-Baptiste Marchand: "Re: IIS Using Port 1843"
Next in thread: James Sneeringer: "Re: Unusual volume: UDP:137 probes"
Reply: James Sneeringer: "Re: Unusual volume: UDP:137 probes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Oct 01 2002 - 13:05:39 PDT