how to scan for a system with a worm that is spreading.
in [Windows Viruses]
|
Prev: Feedback
Next: Trojan.dropper
From: josborn on 13 Apr 2010 15:20 Some where we have a system with the conflicker worm on it. I have not been able to find it. I can do a system by system check but that will take a long while. I know it spreads over TCP Port 445, is there I way I can use Network Monitor 3.3 (or any other tool) to sit a listen to that port and when it gets hit to record the IP of the infected system? Network monitor I am not sure if it can filter by port, I am not against wireshark either but I need some directions on how to filter or only scan port 445. Any ideas? Thanks
From: "FromTheRafters" erratic on 13 Apr 2010 19:06 It is probably the one with the "hosts" file entry that stops the worm from wasting its time. Can't you write a script to check them out? How do you know it is conficker? <josborn(a)pcsii.com> wrote in message news:eaC9y4z2KHA.3652(a)TK2MSFTNGP02.phx.gbl... > Some where we have a system with the conflicker worm on it. I have > not been able to find it. I can do a system by system check but that > will take a long while. I know it spreads over TCP Port 445, is there > I way I can use Network Monitor 3.3 (or any other tool) to sit a > listen to that port and when it gets hit to record the IP of the > infected system? > > Network monitor I am not sure if it can filter by port, I am not > against wireshark either but I need some directions on how to filter > or only scan port 445. > > Any ideas? > > Thanks >
From: Jesper Ravn on 14 Apr 2010 14:57 <josborn(a)pcsii.com> skrev i meddelelsen news:eaC9y4z2KHA.3652(a)TK2MSFTNGP02.phx.gbl... > Some where we have a system with the conflicker worm on it. I have not > been able to find it. I can do a system by system check but that will > take a long while. I know it spreads over TCP Port 445, is there I way I > can use Network Monitor 3.3 (or any other tool) to sit a listen to that > port and when it gets hit to record the IP of the infected system? > > Network monitor I am not sure if it can filter by port, I am not against > wireshark either but I need some directions on how to filter or only scan > port 445. > > Any ideas? You could try one of the tools below. Nmap http://seclists.org/nmap-dev/2009/q1/869 Simple Conficker Scanner http://www.honeynet.org/node/397 Nessus http://blog.tenablesecurity.com/2009/03/detecting-conficker-with-nessus.html /Jesper
From: josborn on 14 Apr 2010 18:14 Most of our Mccafee clients will detect the broadcast and report a BO stack error occured. When I researched it a lot of hits replied that it was conflick and I did the reseach found the services on Server 2003 that keeps stopping was a symtom of a broadcast of conflicker. But I can just can't find which system is doing the broadcasting. Thanks "FromTheRafters" <erratic @nomail.afraid.org> wrote in message news:%23ek2$312KHA.5212(a)TK2MSFTNGP04.phx.gbl... > It is probably the one with the "hosts" file entry that stops the worm > from wasting its time. Can't you write a script to check them out? How do > you know it is conficker? > > <josborn(a)pcsii.com> wrote in message > news:eaC9y4z2KHA.3652(a)TK2MSFTNGP02.phx.gbl... >> Some where we have a system with the conflicker worm on it. I have not >> been able to find it. I can do a system by system check but that will >> take a long while. I know it spreads over TCP Port 445, is there I way I >> can use Network Monitor 3.3 (or any other tool) to sit a listen to that >> port and when it gets hit to record the IP of the infected system? >> >> Network monitor I am not sure if it can filter by port, I am not against >> wireshark either but I need some directions on how to filter or only scan >> port 445. >> >> Any ideas? >> >> Thanks >> > >
From: josborn on 14 Apr 2010 18:15
Thanks I will give it a try. "Jesper Ravn" <jesper_ravn(a)hotmail.com> wrote in message news:F86FF434-272D-4F08-9835-81DBCD6354F2(a)microsoft.com... > > > <josborn(a)pcsii.com> skrev i meddelelsen > news:eaC9y4z2KHA.3652(a)TK2MSFTNGP02.phx.gbl... >> Some where we have a system with the conflicker worm on it. I have not >> been able to find it. I can do a system by system check but that will >> take a long while. I know it spreads over TCP Port 445, is there I way I >> can use Network Monitor 3.3 (or any other tool) to sit a listen to that >> port and when it gets hit to record the IP of the infected system? >> >> Network monitor I am not sure if it can filter by port, I am not against >> wireshark either but I need some directions on how to filter or only scan >> port 445. >> >> Any ideas? > > You could try one of the tools below. > > Nmap > http://seclists.org/nmap-dev/2009/q1/869 > > Simple Conficker Scanner > http://www.honeynet.org/node/397 > > Nessus > http://blog.tenablesecurity.com/2009/03/detecting-conficker-with-nessus.html > > /Jesper |