|
Security Incidents
mailing list archives
RE: TCP port 139 probes
From: Ryan Russell <ryan () securityfocus com>
Date: Fri, 12 Jul 2002 17:08:40 -0600 (MDT)
On Wed, 10 Jul 2002, Pavel Kankovsky wrote:
winhlp32.exe A 317440 Fri Jul 5 15:43:08 2002
notepad.exe A 317440 Fri Jul 5 15:43:08 2002
control.exe A 317440 Fri Jul 5 15:43:08 2002
scanregw.exe A 317440 Fri Jul 5 15:43:08 2002
ifnhlp.sys A 317440 Tue Jul 9 22:20:00 2002
scanregw.exe A 317440 Fri Jul 5 15:43:40 2002
loadpe.com A 317440 Fri Jul 5 15:43:40 2002
msiexec.exe A 317440 Fri Jul 5 15:43:08 2002
wf2k.exe A 317440 Fri Jul 5 15:43:40 2002
Pavel provided me some samples off-list. The ones shown here are
identified as Stator by the f-prot DOS scanner.
http://securityresponse.symantec.com/avcenter/venc/data/w32.stator () mm html
A few other files (not shown in this note) are Datom:
http://securityresponse.symantec.com/avcenter/venc/data/w32.datom.worm.html
Datom scans for open shares, so that's the port 139 traffic. The Symantec
description of the Stator worm says it's a mass-mailer, so I'm not sure
how that relates, or why they are there. The filenames match, though.
Ryan
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
 By Date 
By Thread
Current thread:
- Re: TCP port 139 probes, (continued)
|
Intro
