North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: New Worm

  • From: Roeland Meyer
  • Date: Fri Sep 14 12:25:16 2001

Strange that this one resurfaces just after we discussed Win shares t'other

-----Original Message-----
From: Hire, Ejay [mailto:[email protected]]
Sent: Friday, September 14, 2001 8:25 AM
To: [email protected]
Subject: RE: New Worm

I was in error.  This is not a new worm.  Just an old one that won't die.


-----Original Message-----
From: Ejay Hire [mailto:[email protected]]
Sent: Friday, September 14, 2001 12:04 PM
To: [email protected]
Subject: New Worm

My Honeypot was infected with a new self-replicating worm yesterday.  It
appears to check for open win95/98/me netbios shares with read/write
permission and installs wininit.exe (the scanner/infector) and the client (In quiet Mode).  Upon reboot, the scanner will start
and search for infectable hosts during periods of inactivity.  The windows
2000 pro pc seems unaffected.  I will make the files available for
dis-assembly if anyone is interested.

To check for infection, look for the following files in c:/windows/system

wininit.exe  --Application
wininit.log  --Apparent Log file
info.dll   --Apparent Log file
dnetc.exe  -- client
dnetc.ini -- config
Buff-in.* -- work units
ms216.exe -- Unknown, but the timestamp matched the other files...