[31533] in North American Network Operators' Group


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: Port 139 scans

daemon@ATHENA.MIT.EDU (ken lindahl)
Wed Sep 27 14:50:46 2000

Date: Wed, 27 Sep 2000 11:43:43 -0700 (PDT)
From: ken lindahl <lindahl@ack.Berkeley.EDU>
Message-Id: <200009271843.LAA20311@ack.Berkeley.EDU>
To: bbecker@iconn.net
Cc: nanog@merit.edu
Errors-To: owner-nanog-outgoing@merit.edu

On Wed, 27 Sep 2000, Bill Becker wrote:
> Speaking of the internet and the way it operates, is anyone else seeing a
> large number of random hosts scanning through their address space using TCP
> on port 139?
> 
> Bill

we've seen similar scans here at UCB, and have traced a number of them
to a win32 trojan variously named {note.com,Qaz.Trojan,QAZ.worm,TROJ_QAZ.A,
Trojan/Notepad,W32.HLLW.Qaz.A}. if you're so inclined, you can test
for this by telnetting to port 7597 on the machine that scanned you.
http://vil.nai.com/villib/dispVirus.asp?virus_k=98775 for details.

ken


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[31533] in North American Network Operators' Group

Re: Port 139 scans

daemon@ATHENA.MIT.EDU (ken lindahl)Wed Sep 27 14:50:46 2000

daemon@ATHENA.MIT.EDU (ken lindahl)
Wed Sep 27 14:50:46 2000