Without any more details, like traffic captures, I can only assume it is one of the new Lsass worms looking for MS04-011 vulnerable machines. http://www.sarc.com/avcenter/venc/data/hacktool.lsasssba.html Roger ************************************************************************ *** *Roger A. Grimes, Computer Security Consultant *CPA, CISSP, MCSE: Security (NT/2000/2003/MVP), CNE (3/4), A+ *email: roger@banneretcs.com *cell: 757-615-3355 *Author of Malicious Mobile Code: Virus Protection for Windows by O'Reilly *http://www.oreilly.com/catalog/malmobcode *Author of upcoming Honeypots for Windows (Apress) ************************************************************************ **** -----Original Message----- From: Tony Abell [mailto:TonAbe@osgtool.com] Sent: Thursday, April 29, 2004 12:45 PM To: 'bugtraq@securityfocus.com' Subject: New Worm??? - High level of activity on port 445 Since late yesterday 4/28/04 afternoon around 4pm our firewall started throwing alarms on netprobes. We are seeing a large amount of probes coming from one machine that is probing random IPs on port 445. The source port is random as well. We traced it back to a Japanese Win2K machine w/SP4 installed. No idea if it's fully patched or not, I have no desire to put it back on my network to patch it until I get this figured out. I scanned the machine in safe mode as well as booting normally using SAV 8.1 with 4/28/04 Rev 38 defs and came up with nothing. Is anyone else seeing anything like this? Tony Abell Network Administrator OSG Tap & Die
