Home page logo
/

nanog logo nanog mailing list archives

RE: New Worm
From: "Hire, Ejay" <Ejay.Hire () Broadslate net>
Date: Fri, 14 Sep 2001 11:25:17 -0400

I was in error.  This is not a new worm.  Just an old one that won't die.
http://www.Symantec.com/avcenter/venc/data/w32.hllw.bymer.html
<http://www.Symantec.com/avcenter/venc/data/w32.hllw.bymer.html> 
 
Apologies.
 

-----Original Message-----
From: Ejay Hire [mailto:Ejay.hire () broadslate net]
Sent: Friday, September 14, 2001 12:04 PM
To: nanog () merit edu
Subject: New Worm


My Honeypot was infected with a new self-replicating worm yesterday.  It
appears to check for open win95/98/me netbios shares with read/write
permission and installs wininit.exe (the scanner/infector) and the
distributed.net client (In quiet Mode).  Upon reboot, the scanner will start
and search for infectable hosts during periods of inactivity.  The windows
2000 pro pc seems unaffected.  I will make the files available for
dis-assembly if anyone is interested.
 
To check for infection, look for the following files in c:/windows/system
 
wininit.exe  --Application
wininit.log  --Apparent Log file
info.dll   --Apparent Log file
dnetc.exe  --  Distributed.net client
dnetc.ini -- Distributed.net config
Buff-in.* -- Distributed.net work units
ms216.exe -- Unknown, but the timestamp matched the other files...
 


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]