Hi everyone! Just an FYI on a new worm.
There is a new worm variant out there which is beginning to be picked up by
the press. We got hit last week by one called spybot (but NOT related to
the program) which also uses port 445. We were the first to call it into
NAV who very promptly published a fix. I'm sure other AV vendors will also
follow suit. In all our cases the "bot" was trying to scan addresses in the
149.8.x.x and 149.7.x.x ranges and also used port 445.
Regards
JCB
-----Original Message-----
From: Richard Urwin [mailto:richard@xxxxxxxxxxxxxxx]
Sent: Monday, October 11, 2004 11:49 AM
To: ethereal-users@xxxxxxxxxxxx
Subject: Re: [Ethereal-users] ARP-Protokoll
On Monday 11 Oct 2004 7:22 am, Richard Urwin wrote:
> On Sunday 10 Oct 2004 4:56 pm, Freenet-Old wrote:
> > Dear Sirs and Mesdames,
> >
> > I hope you could help me. Yesterday I installed etheral to oberseve
> > my Cable-Modem-Internet connection. Why? Since a cuple of weeks I
> > can see flashing lights on my modem - indicating network traffic -
> > but no program ist open nor the IE is running. My provider shows me
> > 1 GB of upload. Hmm. Etheral showed me, that when all known
> > web-applications on my PC are closed, 100 % of entwork traffic come
> > from using the ARP-Protokol, broadcasting somthing like "who is" or
> > "hihi..."? How can I identify the source of the traffic and how can
> > I stop it? It would be great to hear from you.
>
> Several well-known viruses do that. I suggest you update your
> anti-virus database and do a full scan.
There's a new virus out that the anti-virus packages only caught within
the last few days, wootbot. They haven't got any details on it yet, so
this is based on my experience:
It appears to do start off with very rapid ARP messages to random IP
addresses within the local network (depending on the IP address class,
not the netmask.) It then connects to any machines it finds on TCP port
445.
To fix it open the Task Manager and end process msmsgs.exe, then remove
msmsgs.exe from the system32 folder. To avoid re-infection get
up-to-date with windowsupdate.com.
There may be other filenames, but this is the only variant that we
caught at our office.
--
Richard Urwin
_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users