Re: TCP 445 Scan?

From: Brian McWilliams (brian@pc-radio.com)
Date: Tue Mar 04 2003 - 11:59:33 PST

  • Next message: Frank Knobbe: "RE: TCP 445 Scan?" 

    Maybe it's this new worm?

http://www.viruslist.com/eng/viruslist.html?id=59741


Worm.Win32.Randon

Randon is a Virus-Worm distributed via IRC-channels and LANs with shared 
resources.

When executed this worm installs its components into the subdirectory zxz 
and/or zx in the Windows system directory and registers its main file and 
the mIRC client in the Windows registry auto-run key (below):

HKLM\\Software\Microsoft\Windows\CurrentVersion\Run\updateWins

Randon then executes the above key and hides the process via the 
HideWIndows utility. Randon connects to the IRC-server and executes its 
scripts. In addition to DDoS attacks and IRC channel flooding, Randon scans 
port 445 of other IRC clients.

[snip]

At 01:25 PM 2/27/2003, Charles Hamby wrote:


>Morning/Afternoon All,
>
>Has anyone else recently been pegged with a large number of distributed
>TCP 445 scans over a short amount of time (within a few minutes)?  A
>couple of days ago I was hit by roughly 60+ scans in a short amount of
>time; when I waded through it it wound up being about 45 unique IP address
>all looking for TCP 445.  Below is an excerpt from my fireall log
>(Netscreen).  Has anyone else been seeing these sorts of scans lately?
>I've only seen the one scan, so I haven't had a chance to capture any more
>traffic.
>
>-CDH
>
>
>2003-2-23 23:05:52 Deny  213.51.247.114->W.X.Y.Z  0 sec TCP PORT 445
>2003-2-23 23:05:49 Deny  213.51.247.114->W.X.Y.Z  0 sec TCP PORT 445
>2003-2-23 23:05:36 Deny  213.51.21.143->W.X.Y.Z   0 sec TCP PORT 445
>2003-2-23 23:05:33 Deny  213.51.21.143->W.X.Y.Z   0 sec TCP PORT 445
>2003-2-23 23:05:30 Deny  12.242.204.86->W.X.Y.Z   0 sec TCP PORT 445
>2003-2-23 23:05:27 Deny  12.242.204.86->W.X.Y.Z   0 sec TCP PORT 445
>2003-2-23 23:05:23 Deny  62.253.118.133->W.X.Y.Z  0 sec TCP PORT 445
>2003-2-23 23:05:21 Deny  65.163.177.202->W.X.Y.Z  0 sec TCP PORT 445
>2003-2-23 23:05:20 Deny  62.253.118.133->W.X.Y.Z  0 sec TCP PORT 445
>2003-2-23 23:05:19 Deny  217.1.167.84->W.X.Y.Z    0 sec TCP PORT 445
>2003-2-23 23:05:18 Deny  65.163.177.202->W.X.Y.Z  0 sec TCP PORT 445
>2003-2-23 23:05:18 Deny  12.231.241.129->W.X.Y.Z  0 sec TCP PORT 445
>2003-2-23 23:05:18 Deny  24.66.39.214->W.X.Y.Z    0 sec TCP PORT 445
>2003-2-23 23:05:17 Deny  12.229.115.40->W.X.Y.Z   0 sec TCP PORT 445
>2003-2-23 23:05:16 Deny  62.190.172.203->W.X.Y.Z  0 sec TCP PORT 445
>2003-2-23 23:05:16 Deny  217.1.167.84->W.X.Y.Z    0 sec TCP PORT 445
>2003-2-23 23:05:16 Deny  217.162.202.177->W.X.Y.Z 0 sec TCP PORT 445
>2003-2-23 23:05:16 Deny  217.162.183.155->W.X.Y.Z 0 sec TCP PORT 445
>2003-2-23 23:05:15 Deny  12.231.241.129->W.X.Y.Z  0 sec TCP PORT 445
>2003-2-23 23:05:15 Deny  24.66.39.214->W.X.Y.Z    0 sec TCP PORT 445
>2003-2-23 23:05:14 Deny  141.153.232.196->W.X.Y.Z 0 sec TCP PORT 445
>2003-2-23 23:05:14 Deny  12.229.115.40->W.X.Y.Z   0 sec TCP PORT 445
>2003-2-23 23:05:14 Deny  12.231.161.15->W.X.Y.Z   0 sec TCP PORT 445
>2003-2-23 23:05:13 Deny  217.162.7.16->W.X.Y.Z    0 sec TCP PORT 445
>2003-2-23 23:05:13 Deny  62.190.172.203->W.X.Y.Z  0 sec TCP PORT 445
>2003-2-23 23:05:13 Deny  12.242.250.247->W.X.Y.Z  0 sec TCP PORT 445
>2003-2-23 23:05:13 Deny  217.162.202.177->W.X.Y.Z 0 sec TCP PORT 445
>
>----------------------------------------------------------------------------
>
><Pre>Lose another weekend managing your IDS?
>Take back your personal time.
>15-day free trial of StillSecure Border Guard.</Pre>
><A href="http://www.securityfocus.com/stillsecure"> 
>http://www.securityfocus.com/stillsecure </A>


----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>

    This archive was generated by hypermail 2b30 : Wed Mar 05 2003 - 08:27:30 PST