mailing list archives
From: "Ejay Hire" <Ejay.hire () broadslate net>
Date: Fri, 14 Sep 2001 11:04:23 -0500
My Honeypot was infected with a new self-replicating worm yesterday. It appears to check for open win95/98/me netbios
shares with read/write permission and installs wininit.exe (the scanner/infector) and the distributed.net client (In
quiet Mode). Upon reboot, the scanner will start and search for infectable hosts during periods of inactivity. The
windows 2000 pro pc seems unaffected. I will make the files available for dis-assembly if anyone is interested.
To check for infection, look for the following files in c:/windows/system
wininit.log --Apparent Log file
info.dll --Apparent Log file
dnetc.exe -- Distributed.net client
dnetc.ini -- Distributed.net config
Buff-in.* -- Distributed.net work units
ms216.exe -- Unknown, but the timestamp matched the other files...
- New Worm Ejay Hire (Sep 14)