I've never seen it do that, in the about 50 or so instances I've encountered. Does it only do it occasionally? Does it attack the same host against which 135/tcp failed, or some random third party? (Does it, perhaps, distinguish between 135/tcp "failed to connect" and 135/tcp "connected, but target was patched and so could not be infected"?) David Gillett > -----Original Message----- > From: Jose Nazario [mailto:jose@monkey.org] > Sent: November 19, 2003 17:06 > To: Jay D. Dyson > Cc: Bugtraq > Subject: Re: Router Worm? > > > its welchia/nachi. when it can't connect via 135/tcp, it will > attempt an > exploit against a webdav server (see MS03-007). > > i've seen an uptick in this in the past couple of days, too, > visible on a > few httpd servers i track. and i, too, was caught off guard > until someone > pointed out it was nachi to me. digging into the tech details > showed that > i (and many of us) had been overlooking a secondary attack. > > ___________________________ > jose nazario, ph.d. jose@monkey.org > http://monkey.org/~jose/ >
