|
Security Incidents
mailing list archives
Re: Unusual volume: UDP:137 probes
From: James Sneeringer <james+incidents () vincentsystems com>
Date: Tue, 1 Oct 2002 15:26:49 -0500
On Tue, Oct 01, 2002 at 06:45:22PM +0200, Axel Pettinger wrote:
| Yesterday morning I sent a file (name: SCRSVR.EXE) into various anti
| virus labs and asked them to confirm my suspicion that it was a new
| open share worm. Since this morning my suspicion is confirmed. I think
| that it is related with the reports of "unusually high volumes of
| UDP:137 probes". It's the same malicious program Mark Forsyth has
| already mentioned.
It looks as though it can be distinguished from legitimate NetBIOS
traffic. Normal udp/137 will have 137 as the source and destination
(for file shares, anyway). This worm uses an arbitrary 1024+ source port.
-James
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
 By Date 
By Thread
Current thread:
- RE: Unusual volume: UDP:137 probes, (continued)
RE: Unusual volume: UDP:137 probes Scott, Michael R. (Oct 01)
Re: Unusual volume: UDP:137 probes Axel Pettinger (Oct 01)
- Re: Unusual volume: UDP:137 probes James Sneeringer (Oct 01)
RE: Unusual volume: UDP:137 probes Scott, Michael R. (Oct 01)
|
Intro
