RE: Unusual volume: UDP:137 probes

From: Jeremy Junginger (jjungingerat_private)
Date: Wed Oct 02 2002 - 09:49:25 PDT

Next message: stealth: "Possible remote vulnerability in SSH-1.2.27"

Previous message: Philip Bartholomew: "RE: DNS servers outbound connections."
Next in thread: Sam Campbell: "RE: Unusual volume: UDP:137 probes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Have you seen this attack open print shares?

-----Original Message-----
From: Axel Pettinger [mailto:apiat_private] 
Sent: Tuesday, October 01, 2002 9:45 AM
To: John Sage
Cc: incidentsat_private; handlerat_private
Subject: Re: Unusual volume: UDP:137 probes


John Sage wrote:
> 
> This has received some mention on the UNISOG list and elsewhere, but 
> not here.
> 
> Some people have been seeing unusually high volumes of UDP:137 probes 
> since about 09/27/02 late, or early 09/28/02.

Yesterday morning I sent a file (name: SCRSVR.EXE) into various anti 
virus labs and asked them to confirm my suspicion that it was a new open
share worm. Since this morning my suspicion is confirmed. I think that
it is related with the reports of "unusually high volumes of 
UDP:137 probes". It's the same malicious program Mark Forsyth has 
already mentioned.

Here's more info about that open share worm:

SCRSVR.EXE, identified as ("older" identifications included) ...

    CA Vet RESCUE              : Win32.Opaserv.A (trojan)
    Dialogue Science DrWebWCL  : Win32.HLLW.Opasoft
    ESET NOD32DOS              : Win32/Opaserv.A
    GeCAD RAVAV                : Win32/Opaserv.A.worm
    Ikarus PSCAN               : Worm.Psp.Opasoft.A
    Kaspersky Lab KAVDOS32     : Backdoor.Opasoft ->
Worm.Win32.Opasoft.a
    McAfee SCANPM              : BackDoor-ALB -> W32/Scrup.worm ->
W95/Scrup.worm
    Norman NVC                 : W32/Opaserv.A
    Panda Antivirus PAVCL      : Bck/Opasoft -> W32/Opaserv
    SOFTWIN BDDOSC             : Trojan.Omageneer.A ->
Win32.Worm.Opaserv.A
    Sophos SWEEP               : W32/Opaserv-A
    Symantec NAV CE VSCAND     : W32.Opaserv.Worm
    Trend Micro VSCAN32        : BKDR_OPASOFT.A -> WORM_OPASOFT.A

Descriptions:
http://www.sarc.com/avcenter/venc/data/w32.opaserv.worm.html
http://www.sophos.com/virusinfo/analyses/w32opaserva.html
http://vil.nai.com/vil/content/v_99729.htm
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_OPA
SOFT.A
http://www3.ca.com/virusinfo/Virus.asp?ID=13234
http://www.europe.f-secure.com/v-descs/opasoft.shtml
http://www.kav.ch/avpve/worms/win32/opasoft.stm
http://www.norman.no/virus_info/w32_opaserv_a.shtml

Removal tool:
http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.worm
.removal.tool.html

Regards,
Axel Pettinger

------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service. For
more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

application/x-pkcs7-signature attachment: smime.p7s

Next message: stealth: "Possible remote vulnerability in SSH-1.2.27"
Previous message: Philip Bartholomew: "RE: DNS servers outbound connections."
Next in thread: Sam Campbell: "RE: Unusual volume: UDP:137 probes"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Oct 02 2002 - 11:39:48 PDT