Security Incidents mailing list archives

RE: Unusual volume: UDP:137 probes

From: "Jeremy Junginger" <jjunginger () usbestcrm com>
Date: Wed, 2 Oct 2002 09:49:25 -0700

Have you seen this attack open print shares?

-----Original Message-----
From: Axel Pettinger [mailto:api () epost de] 
Sent: Tuesday, October 01, 2002 9:45 AM
To: John Sage
Cc: incidents () securityfocus com; handler () incidents org
Subject: Re: Unusual volume: UDP:137 probes


John Sage wrote:


This has received some mention on the UNISOG list and elsewhere, but 
not here.

Some people have been seeing unusually high volumes of UDP:137 probes 
since about 09/27/02 late, or early 09/28/02.


Yesterday morning I sent a file (name: SCRSVR.EXE) into various anti 
virus labs and asked them to confirm my suspicion that it was a new open
share worm. Since this morning my suspicion is confirmed. I think that
it is related with the reports of "unusually high volumes of 
UDP:137 probes". It's the same malicious program Mark Forsyth has 
already mentioned.

Here's more info about that open share worm:

SCRSVR.EXE, identified as ("older" identifications included) ...

    CA Vet RESCUE              : Win32.Opaserv.A (trojan)
    Dialogue Science DrWebWCL  : Win32.HLLW.Opasoft
    ESET NOD32DOS              : Win32/Opaserv.A
    GeCAD RAVAV                : Win32/Opaserv.A.worm
    Ikarus PSCAN               : Worm.Psp.Opasoft.A
    Kaspersky Lab KAVDOS32     : Backdoor.Opasoft ->
Worm.Win32.Opasoft.a
    McAfee SCANPM              : BackDoor-ALB -> W32/Scrup.worm ->
W95/Scrup.worm
    Norman NVC                 : W32/Opaserv.A
    Panda Antivirus PAVCL      : Bck/Opasoft -> W32/Opaserv
    SOFTWIN BDDOSC             : Trojan.Omageneer.A ->
Win32.Worm.Opaserv.A
    Sophos SWEEP               : W32/Opaserv-A
    Symantec NAV CE VSCAND     : W32.Opaserv.Worm
    Trend Micro VSCAN32        : BKDR_OPASOFT.A -> WORM_OPASOFT.A

Descriptions:
http://www.sarc.com/avcenter/venc/data/w32.opaserv.worm.html
http://www.sophos.com/virusinfo/analyses/w32opaserva.html
http://vil.nai.com/vil/content/v_99729.htm
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_OPA
SOFT.A
http://www3.ca.com/virusinfo/Virus.asp?ID=13234
http://www.europe.f-secure.com/v-descs/opasoft.shtml
http://www.kav.ch/avpve/worms/win32/opasoft.stm
http://www.norman.no/virus_info/w32_opaserv_a.shtml

Removal tool:
http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.worm
.removal.tool.html

Regards,
Axel Pettinger

------------------------------------------------------------------------
----
This list is provided by the SecurityFocus ARIS analyzer service. For
more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Attachment: smime.p7s
Description:

Current thread:

RE: Unusual volume: UDP:137 probes, (continued)
- RE: Unusual volume: UDP:137 probes Scott, Michael R. (Oct 01)
- Re: Unusual volume: UDP:137 probes Axel Pettinger (Oct 01)
  - Re: Unusual volume: UDP:137 probes James Sneeringer (Oct 01)
    - maybe a simple problem Andrew Fison (Oct 02)
    - Re: maybe a simple problem Igor D. Spivak (Oct 02)
    - RE: maybe a simple problem Greg Reber (Oct 03)
    - Re: maybe a simple problem Brad Arlt (Oct 03)
- RE: Unusual volume: UDP:137 probes Scott, Michael R. (Oct 01)
  - Re: Unusual volume: UDP:137 probes John Sage (Oct 01)
- Re: Unusual volume: UDP:137 probes Maxime Ducharme (Oct 01)
- RE: Unusual volume: UDP:137 probes Jeremy Junginger (Oct 02)
- RE: Unusual volume: UDP:137 probes Sam Campbell (Oct 08)