From: Mike '/m' 

On Fri, 14 Jan 2005 22:44:42 -0800, Jeff Shultz
 wrote:

>On Fri, 14 Jan 2005 22:00:21 -0500, Geo wrote:
>
>> "Mike N."  wrote in message
>> news:mscfu0t70m9cbdtlbifprl5opace69i89l{at}4ax.com...
>>
>>>    I've not run into this one yet...does it resist detection/removal, or
>>> just come back by itself?
>>
>> Nothing I've found can detect or remove it. It disables AV software from
>> seeing it and it's a persistent little bugger that has managed to avoid my
>> removal attempts (my kids machine got infected and we ended up formatting
>> it). Lots of customers seem to be getting hit by it too.
>>
>> What I noticed was a sasser like scan for port 445 to random IP addresses
>> going out from my network, tracked it back to an IP address did a netstat
>> -n and saw the machine was infected, then ran avg, spybot, adaware, some
>> web av check, nothing showed the machine as infected but it sure as heck
>> was. I did see usb2.exe (or maybe it was winusb2.exe) running in the task
>> list and that turned out to be the virus. Once I knew that I had infected
>> customers who were having trouble cleaning check for the task and they too
>> had it running.
>>
>> Geo.
>
>We block 445 at the routers... all the routers. So far we haven't had any
>customers complain.
>
>It's actually one of the few portblocks that I agree with my boss on.
>

After the port-137 gang, port 445 is the most probed port on the server I
have hanging out in the wind in a Canada datacenter.

Wasn't there an exploit for port 445?

 /m

--- BBBS/NT v4.01 Flag-5