how to scan for a system with a worm that is spreading.

Discussion in 'Virus Information' started by Guest, Apr 13, 2010.

  1. Guest

    Guest Guest

    Some where we have a system with the conflicker worm on it. I have not been
    able to find it. I can do a system by system check but that will take a
    long while. I know it spreads over TCP Port 445, is there I way I can use
    Network Monitor 3.3 (or any other tool) to sit a listen to that port and
    when it gets hit to record the IP of the infected system?

    Network monitor I am not sure if it can filter by port, I am not against
    wireshark either but I need some directions on how to filter or only scan
    port 445.

    Any ideas?

    Thanks
     
    Guest, Apr 13, 2010
    #1
    1. Advertisements

  2. It is probably the one with the "hosts" file entry that stops the worm
    from wasting its time. Can't you write a script to check them out? How
    do you know it is conficker?
     
    FromTheRafters, Apr 14, 2010
    #2
    1. Advertisements

  3. Guest

    Jesper Ravn Guest

    You could try one of the tools below.

    Nmap
    http://seclists.org/nmap-dev/2009/q1/869

    Simple Conficker Scanner
    http://www.honeynet.org/node/397

    Nessus
    http://blog.tenablesecurity.com/2009/03/detecting-conficker-with-nessus.html

    /Jesper
     
    Jesper Ravn, Apr 14, 2010
    #3
  4. Guest

    Guest Guest

    Most of our Mccafee clients will detect the broadcast and report a BO stack
    error occured. When I researched it a lot of hits replied that it was
    conflick and I did the reseach found the services on Server 2003 that keeps
    stopping was a symtom of a broadcast of conflicker.

    But I can just can't find which system is doing the broadcasting.

    Thanks
     
    Guest, Apr 14, 2010
    #4
  5. Guest

    Guest Guest

    Thanks I will give it a try.


     
    Guest, Apr 14, 2010
    #5
  6. From: <>

    | Most of our Mccafee clients will detect the broadcast and report a BO stack
    | error occured. When I researched it a lot of hits replied that it was
    | conflick and I did the reseach found the services on Server 2003 that keeps
    | stopping was a symtom of a broadcast of conflicker.

    | But I can just can't find which system is doing the broadcasting.

    | Thanks

    You din't reserach it well enough. It is the conficker worm NOT conflicker.

    The first question would be...

    Why haven't you PROPERLY patched your servers to PREVENT a conficker infection ?

    http://technet.microsoft.com/en-us/security/dd452420.aspx

    Addressed by the patch in...
    http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
     
    David H. Lipman, Apr 14, 2010
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.