We saw this a week+ ago ... I'm pretty sure the support peeps found that this was a recent Netsky variant (V?) .. not sure. It was just a bit too new for the Virus scanner at that time.
----- Original Message ----- >From: "Willem Koenings" <[EMAIL PROTECTED]> >To: <[EMAIL PROTECTED]> >Subject: [Full-Disclosure] Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 >Date: Fri, 23 Apr 2004 10:38:23 -0500 > > > > Sound familiar to anyone? > > Today catched worm wmiprvsw.exe. This worm incorporates > stealth capabilities - it hides it's process in memory and > also it's exe is not seen in directory listing, when worm > is active. Although it does not hide registry entries, it > shuts down regedit, when regedit is executed. It creates > two registry entries 'System Updater Service' under Run > and RunServices. > > Then it starts scan following ports : > > 2745 > 135 > 1025 > 445 > 3127 > 6129 > 139 > 3140 > > Thats all for now - weekend :) > > W. > -- > ___________________________________________________________ > Sign-up for Ads Free at Mail.com > http://promo.mail.com/adsfreejump.htm > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > -- Ian Latter Internet and Networking Security Officer Macquarie University _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html