[42235] in North American Network Operators' Group
Re: New Worm
daemon@ATHENA.MIT.EDU (Jeff Gehlbach)
Fri Sep 14 11:31:43 2001
Date: Fri, 14 Sep 2001 11:29:59 -0400
From: Jeff Gehlbach <jeffg@empire.com>
To: Ejay Hire <Ejay.hire@broadslate.net>
Cc: nanog@merit.edu
Message-ID: <20010914112959.E5817@empire.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <012e01c13d36$f3cfe160$4801fe0a@Broadslate.net>; from Ejay.hire@broadslate.net on Fri, Sep 14, 2001 at 11:04:23AM -0500
Errors-To: owner-nanog-outgoing@merit.edu
On Fri, Sep 14, 2001 at 11:04:23AM -0500, Ejay Hire wrote:
> My Honeypot was infected with a new self-replicating worm yesterday.
> It appears to check for open win95/98/me netbios shares with read/write
> permission and installs wininit.exe (the scanner/infector) and the
> distributed.net client (In quiet Mode).
Matches the MO of W32.HLLW.Bymer, a pretty old one that hit my parents'
PC a while back:
http://www.symantec.com/avcenter/venc/data/w32.hllw.bymer.html
--
Jeff Gehlbach, Concord Communications <jgehlbach@concord.com>
Senior Professional Services Consultant, Atlanta
ph. 770.384.0184 fax 770.384.0183
