nanog mailing list archives

Re: New Worm

From: Jeff Gehlbach <jeffg () empire com>
Date: Fri, 14 Sep 2001 11:29:59 -0400


On Fri, Sep 14, 2001 at 11:04:23AM -0500, Ejay Hire wrote:

My Honeypot was infected with a new self-replicating worm yesterday.
It appears to check for open win95/98/me netbios shares with read/write
permission and installs wininit.exe (the scanner/infector) and the
distributed.net client (In quiet Mode).


Matches the MO of W32.HLLW.Bymer, a pretty old one that hit my parents'
PC a while back:

http://www.symantec.com/avcenter/venc/data/w32.hllw.bymer.html

--
Jeff Gehlbach, Concord Communications <jgehlbach () concord com>
Senior Professional Services Consultant, Atlanta
ph. 770.384.0184  fax 770.384.0183

Current thread:

New Worm Ejay Hire (Sep 14)
- Re: New Worm Jeff Gehlbach (Sep 14)
- <Possible follow-ups>
- RE: New Worm Hire, Ejay (Sep 14)
- RE: New Worm Roeland Meyer (Sep 14)