[Snort-users] WIN2K IRC Trojan

Gary Flynn flynngn at ...6811...
Fri Sep 6 14:00:04 EDT 2002

"F.M. Taylor" wrote:
> Dudez, wtf is up with this trojan/hack/bot/win2k exploit that seems to be
> speading itself fairly rapidly.  Is there a sig for this yet?  Does anyone
> even know how this thing is being spread??

Everyone I've talked to seems to think it spreads through
weak or nonexistent w2k Administrator passwords. If that
is the case, a signature that looks for netbios over tcp
connections to port 139 with the Administrator account 
trying to access the C$ share should do the trick.

Gary Flynn
Security Engineer - Technical Services
James Madison University

Please R.U.N.S.A.F.E.

More information about the Snort-users mailing list