[53019] in North American Network Operators' Group
Re: Odd behavior
daemon@ATHENA.MIT.EDU (Allan Liska)
Sat Oct 26 20:29:16 2002
Date: Sat, 26 Oct 2002 18:30:17 -0500 (EST)
From: Allan Liska <allan@allan.org>
To: Joe <joej@rocknyou.com>
Cc: nanog@merit.edu
In-Reply-To: <004c01c27d4f$33521160$0401a8c0@rocknyou.com>
Errors-To: owner-nanog-outgoing@merit.edu
On Sat, 26 Oct 2002, Joe wrote:
>
>
> Anyone noticing an increase in the amount of port 137 scans?
> I've seen just just over 100 in the last 1 hour. When I probe the
> offender I see them as MS items with their Harddrives shared wide open.
> Only thing in common is they all appear to have some file called put.ini
> in their root directory with a line that looks to be from a win.ini and
> states brasil.pif or exe. Maybe some new virus?
>
It looks like the W32/Opaserv-C virus:
http://www.sophos.com/virusinfo/analyses/w32opaservc.html
--
Allan Liska
allan@allan.org
htt://www.allan.org
