Symantec warns of new spreading worm.

[Harvey]

Norton AV usually issues their Live Updates on Wednesdays. I'm always concerned when I get one in between. From Symantec's security alerts

Symantec Security Response is aware of a new worm which attempts to connect to a target host using TCP port 445. Upon successful connection, the worm copies a backdoor Trojan component, a file named inst.exe detected as Backdoor.Dvldr, to a set of paths hardcoded into the worm in order to load the Trojan from the StartUp folder. Then the worm attempts to launch remote services which perform actions such as copying and executing the backdoor, copying and executing the worm, deleting default shares and changing the attributes of the worm and backdoor Trojan to read only.

The worm exists as the file dvldr32.exe and is packed with ASPack.

Additional information will be provided as analysis continues.

My Zone Alarm already shows someone tried to hit my TCP port 445, today. Just a heads up. Update your AV and set your firewall phasers on kill.

 

[DAPUNISHER]

Thanx Harvey and bump!

 

[silverpig]

Whoa. This is really weird. My subscription expired about two months ago and now I want to renew it. I clicked on live updated and tried to update my definitions (which won't work until I renew my subscription of course). It told me to buy a new subscription, which I tried to do. The norton site was really really slow for me, so I just decided to do it later. I went back to my running Norton Antivirus program and hit the <skip> button. It then let me download new virus definitions and everything. Weird.


And yes, this is a legit copy.

 

[NesuD]

Hmm wonder if that was what that yellow alert update pccillin was taking care of today. Usually pccillin just says an update is available. Today it called it a code yellow security alert update or smething like that.

 

[rome]

glad I have my norton updating every day at 4am Hardware firewall's are grand! :-D

 

[fluxquantum]

thanks for the update!!

 

[Skyclad1uhm1]

It runs from the Startup folder? *snicker*
So if you press <Shift> during startup you can skip it... Most virusses/worms are at least smart enough to install themselves as service.

 

[bsobel]

A few notes, 445 is used by Microsoft for SMB over TCP. This site shows an interesting graph in seen 445 activity...
Bill

p.s. We really need a security forum here!

 

[morkinva]

Hmm I haven't had an update to AVG since 2/25, seems like a long time for them.

 

[helpme]

Originally posted by: morkinva
Hmm I haven't had an update to AVG since 2/25, seems like a long time for them.

Yeah, you're right. It's usually every couple of weeks though isn't it?

 

[Gillbot]

My firewall log shows 1000's of attempts to gain access via 445 port.

"Sunday, March 09, 2003 4:21:49 PM Unrecognized access from IP Address Deleted to TCP port 445"

 

[The Wildcard]

I cannot imagine going on the web without running a firewall, lol. I run one even when I am on 56k Dialup...

 

[zsouthboy]

Originally posted by: bsobel
A few notes, 445 is used by Microsoft for SMB over TCP. This site shows an interesting graph in seen 445 activity...
Bill

p.s. We really need a security forum here!

Agree wholeheartedly. Mods? Zuni? Whomever is in charge?

 

[Gillbot]

http://forums.anandtech.com/categories.cfm?catid=42&zb=3738714