This maybe a clue, There was a new variant of the AGOBOT worm that we "uncovered". In Safe Mode run regedt32 goto\HKLM\software\Microsoft\Windows\CurrentVersion\Run and RunServices Look for any Symantec entries (it will look official but since we do not use Symantec NAV, it brought up red flags). Delete. In CLI, go to Winnt\System32 Search for a navpaw32.exe or a navpxaw32.exe Remove all permission to prevent this file from being run Restart PC. On your firewall check for port scanning. This worm will attempt to propagate. Hope this helps. BTW...Trend Micro release a new pattern because of us. Jodrell P. Dimaculangan Manager - Technical Support Group People's Choice Home Loan, Inc. Helpdesk: 949-341-2035 Phone: 949-341-2009 Fax: 949-341-5440 < <mailto:helpdesk@pchli.com>> < <mailto:Jodrell@pchli.com>> CONFIDENTIALITY AND DISCLAIMER NOTICE This e-mail is intended only for the addressee named above and the contents should not be disclosed to any other person nor copies taken. As Internet communications are not secure we do not accept legal responsibility for the contents of this message nor responsibility for any change made to this message after the original sender sent it. We advise you to carry out your own virus check before opening any attachment, as we cannot accept liability for any damage sustained as a result of any software viruses. If you have received this e-mail in error, please notify us immediately by replying to this email or by calling our technical support department 949-341-2035. -----Original Message----- From: Tony Abell [mailto:TonAbe@osgtool.com] Sent: Thursday, April 29, 2004 9:45 AM To: 'bugtraq@securityfocus.com' Subject: New Worm??? - High level of activity on port 445 Since late yesterday 4/28/04 afternoon around 4pm our firewall started throwing alarms on netprobes. We are seeing a large amount of probes coming from one machine that is probing random IPs on port 445. The source port is random as well. We traced it back to a Japanese Win2K machine w/SP4 installed. No idea if it's fully patched or not, I have no desire to put it back on my network to patch it until I get this figured out. I scanned the machine in safe mode as well as booting normally using SAV 8.1 with 4/28/04 Rev 38 defs and came up with nothing. Is anyone else seeing anything like this? Tony Abell Network Administrator OSG Tap & Die
