<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 5.50.4522.1800" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>My Honeypot was infected with a new
self-replicating worm yesterday. It appears to check for open win95/98/me
netbios shares with read/write permission and installs wininit.exe (the
scanner/infector) and the distributed.net client (In quiet Mode). Upon
reboot, the scanner will start and search for infectable hosts during
periods of inactivity. The windows 2000 pro pc seems unaffected. I
will make the files available for dis-assembly if anyone is
interested.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>To check for infection, look for the following
files in c:/windows/system</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>wininit.exe --Application</FONT></DIV>
<DIV><FONT face=Arial size=2>wininit.log --Apparent Log file</FONT></DIV>
<DIV><FONT face=Arial size=2>info.dll --Apparent Log
file</FONT></DIV>
<DIV><FONT face=Arial size=2>dnetc.exe -- Distributed.net
client</FONT></DIV>
<DIV><FONT face=Arial size=2>dnetc.ini -- Distributed.net config</FONT></DIV>
<DIV><FONT face=Arial size=2>Buff-in.* -- Distributed.net work
units</FONT></DIV>
<DIV><FONT face=Arial size=2>ms216.exe -- Unknown, but the timestamp matched the
other files...</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV></BODY></HTML>