> Is there any legitimate reason for these types of > random netbios name > scans, or any netbios name scan for that matter? Hhhhmmmm...a traffic capture might be something to do. Or, when the traffic occurs, run fport on the system to see which process is using the source port... > Also, does anyone know if > there is any way to remotely detect this worm on a > machine without running a local virus scan? Well, depending on the variant, it should be pretty easy to do: http://www.sarc.com/avcenter/venc/data/w32.opaserv.worm.html Seems all you have to do is scan for the files on the root of the drive, or even easier is the Registry key. I run monthly scans to check the ubiquitous Run key, as well as others...using Perl, of course. __________________________________________________ Do you Yahoo!? Yahoo! Mail Plus - Powerful. Affordable. Sign up now. http://mailplus.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Feb 06 2003 - 14:17:53 PST