From: "Robert Comer" 

> Wasn't there an exploit for port 445?

MSBlaster. (and others)

- Bob Comer


"Mike '/m'"  wrote in message
news:9f5iu05jptpmgvrl3jd7vm74114o64u2pb{at}4ax.com...
> On Fri, 14 Jan 2005 22:44:42 -0800, Jeff Shultz
> 
> wrote:
>
>>On Fri, 14 Jan 2005 22:00:21 -0500, Geo wrote:
>>
>>> "Mike N."  wrote in message
>>> news:mscfu0t70m9cbdtlbifprl5opace69i89l{at}4ax.com...
>>>
>>>>    I've not run into this one yet...does it resist
detection/removal,
>>>> or
>>>> just come back by itself?
>>>
>>> Nothing I've found can detect or remove it. It disables AV software from
>>> seeing it and it's a persistent little bugger that has managed to avoid
>>> my
>>> removal attempts (my kids machine got infected and we ended up
>>> formatting
>>> it). Lots of customers seem to be getting hit by it too.
>>>
>>> What I noticed was a sasser like scan for port 445 to random IP
>>> addresses
>>> going out from my network, tracked it back to an IP address did a
>>> netstat
>>> -n and saw the machine was infected, then ran avg, spybot, adaware, some
>>> web av check, nothing showed the machine as infected but it sure as heck
>>> was. I did see usb2.exe (or maybe it was winusb2.exe) running in the
>>> task
>>> list and that turned out to be the virus. Once I knew that I had
>>> infected
>>> customers who were having trouble cleaning check for the task and they
>>> too
>>> had it running.
>>>
>>> Geo.
>>
>>We block 445 at the routers... all the routers. So far we haven't had any
>>customers complain.
>>
>>It's actually one of the few portblocks that I agree with my boss on.
>>
>
> After the port-137 gang, port 445 is the most probed port on the server I
> have
> hanging out in the wind in a Canada datacenter.
>
> Wasn't there an exploit for port 445?
>
> /m

--- BBBS/NT v4.01 Flag-5