[Snort-users] Win* machines - port 139 scans

Andrew Daviel andrew at ...523...
Thu Sep 28 14:46:08 EDT 2000


On Tue, 26 Sep 2000, Kevin Bogac wrote:

> We've got a rash of funlove viruses running around the internal 
> network and they're showing up as loads of netbios port scans. I 
> guess the virus scans for other boxes with shares so it can spread. 
> You could be seeing the same thing.
> 
> On 25 Sep 2000, at 21:39, Jerry Shenk wrote:
> 
> > I've been getting a TON of scans on port 139 for the past week....port
> > 139's been fairly high for awhile but in the last week, it's probably

I've seen lots of port 137 scans - 254 addresses from a class C,
source port 137 dest port 137 - which I attribute to 
VBS/Netlog.worm.a 
Recently someone told me about a QAZ virus that also listens on
port 7597 and uses Windows shares to spread

http://www.symantec.com/avcenter/venc/data/w32.hllw.qaz.a.html
http://security.sdsc.edu/publications/network.vbs.shtml
http://vil.nai.com/villib/dispvirus.asp?virus_k=98477

etc.

Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376
security at ...524...
PGP ID 0xC7624B49




More information about the Snort-users mailing list