Re: Increase in Scans of Port 445?

From: Thomas Schmitz (Thomas.Schmitzat_private)
Date: Mon Mar 10 2003 - 13:00:33 PST

  • Next message: Darwin: "Re: [Full-Disclosure] Bypassing Black Ice PC protection?"

    Rich,
    
    I think it is the new worm called DELOADER and is described at the 
    website of Tendmicro:
    
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_DELODER.A
    
    The German site http://www.heise.de has written today (in German only 
    unfortunately) that the worm spreads via Windows network shares at port 
    445. It tries to get access by a built-in list of 85 commonly known weak 
    "Administrator" passwords. After getting access it writes a 
    write-protected copy of itself in the Windows directory named 
    Dvldr32.exe. Then it installs and runs a backdoor programm listening at 
    port 5800. The backdoor programm hides itself as "Explorer.exe". The 
    worm is spreading especially in China but may come to the US and Europe too.
    
    Best regards,
    
    Thomas.
    
    Compton, Rich schrieb:
    > Hey guys,
    > I've noticed on Incidents.org (http://isc.incidents.org/port_details.html?port=445) that there is an increase in traffic to port 445.  Is this because of this "Dropper" virus?  I noticed that the MacAfee link (http://vil.nai.com/vil/content/v_100124.htm) stated that the risk of this virus is very low but if we are seeing such an increase in traffic to this port then it does seem like boxes are getting infected.  Perhaps it is more of a threat than was first considered (especially to home users). Is there some other method of preventing this worm from infecting a box other than turning off (or blocking) sharing? 
    > 
    > Thanks,
    > Rich Compton
    >
    
    
    ----------------------------------------------------------------------------
    
    <Pre>Lose another weekend managing your IDS?
    Take back your personal time.
    15-day free trial of StillSecure Border Guard.</Pre>
    <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
    



    This archive was generated by hypermail 2b30 : Mon Mar 10 2003 - 14:15:06 PST