What's the propagation method? Is it through email? - SG -----Original Message----- From: Polazzo Justin [mailto:Justin.Polazzo@facilities.gatech.edu] Sent: Thursday, April 08, 2004 6:53 AM To: appsec-research@linuxbox.org Cc: bugtraq@securityfocus.com Subject: New Worm/Virus April 8th Concerning the new worm type infection spreading around today (6:15am EST) the file is called ndemon.exe (.99k) and it puts itself into c:\winnt and c:winnt\system32. Registry entries HKLM\Software|Microsoft|CurrentVersion\Run and HKLM\Software|Microsoft|CurrentVersion\RunServices (Think it creates that one). At first look: it then tries to propagate itself via MS ports 135, and 139 VIA known flaws and password guessing. It also listens for other infected machines on port 1025 and scans for MS IIS boxes on port 80 (to try known exploits as well) The infected machines were win2k SP4 (fully Patched) Running Symantec AV v8.6 Just a heads up jp Justin Polazzo CSS II, Facilities IT Georgia Institute of Technology 915 Atlantic Drive Atlanta, GA 30332-0350 404-894-6804 Voice 404-894-8088 Facsimile justin.polazzo@facilities.gatech.edu Request assistance at < http://it.facilities.gatech.edu/it-helpdesk.php> Submit a question or comment at < http://it.facilities.gatech.edu/comments.php> http://www.cauce.org A site to help fight Spam The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer.
