[prev in list] [next in list] [prev in thread] [next in thread]
List: intrusions
Subject: RE: Lioten Worm 135-139 and 445
From: Stacey Conrad <Stacey.Conrad () millersville ! edu>
Date: 2002-12-18 18:55:29
[Download RAW message or body]
We've discovered an instance of it here. I have not had a chance to look at
it much, but we've pulled it from the network pending an investigation.
If anyone has any information about it, I would really appreciate it!
Stacey Conrad
Millersville University
-----Original Message-----
From: James C Slora Jr [mailto:Jim.Slora@phra.com]
Sent: Tuesday, December 17, 2002 9:45 AM
To: intrusions@incidents.org
Subject: Lioten Worm 135-139 and 445
Incidents.org reports the Lioten worm as active. AV vendor sites report its
existence but show no infections. It spreads on NT/W2K through TCP and UDP
on ports 135-139 and 445 - through NetBIOS. It uses short brute force
password attacks on all enumerated users found during a null session probe,
and installs itself as %system%\Iraq_oil.exe.
Has anyone seen this worm in the wild? Any packet captures?
http://www.sarc.com/avcenter/venc/data/w32.hllw.lioten.html (signature not
released yet)
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_LIOTEN.
A (signature released)
http://vil.nai.com/vil/content/v_99897.htm (signature not released yet)
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic