New Worm

• Previous message (by thread): Forwarding - Reference - Assistance
• Next message (by thread): New Worm
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

My Honeypot was infected with a new self-replicating worm yesterday.  It appears to check for open win95/98/me netbios shares with read/write permission and installs wininit.exe (the scanner/infector) and the distributed.net client (In quiet Mode).  Upon reboot, the scanner will start and search for infectable hosts during periods of inactivity.  The windows 2000 pro pc seems unaffected.  I will make the files available for dis-assembly if anyone is interested.

To check for infection, look for the following files in c:/windows/system

wininit.exe  --Application
wininit.log  --Apparent Log file
info.dll   --Apparent Log file
dnetc.exe  --  Distributed.net client
dnetc.ini -- Distributed.net config
Buff-in.* -- Distributed.net work units
ms216.exe -- Unknown, but the timestamp matched the other files...

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20010914/855edb0f/attachment.html>

• Previous message (by thread): Forwarding - Reference - Assistance
• Next message (by thread): New Worm
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]