[ale] ZoneAlarm in win98 being shut down (sorry)
Michael H. Warfield
mhw at wittsend.com
Tue Nov 5 22:25:43 EST 2002
On Tue, Nov 05, 2002 at 10:15:30PM -0500, Kenneth W Cochran wrote:
> Hi:
> Sorry in advance...
> Windows virus/worm question - anything new running around
> that disables ZoneAlarm? ZA kinda catches something like
> "johnb.exe" (johnh.exe?) but then disappears. Where's a
> good place for further info? (& what's a good AV pgm for
> Windows?) Yeah, yeah, pointy hat -> me...
Yeah... BugBear at the very least. That one has a list
of AV and personal firewalls it goes after and shuts down. Don't
know about the "johnb.exe" though.
Go to the various AV vendor sites and look up BugBear.
BTW... BugBear is an E-Mail propagator that also propagates
over open shares. That includes printer shares and it will print
itself to network printers. It does NOT, however, scan for netbios
shares. If you see a lot of netbios name service traffic and attempts
to connect to port 139... That's NOT BugBear. That's probably one of
the, now several (5 and counting), varients of OpaServ. The appeared on
the net about the same time and are being heavily confused but are not
related... My honeypots are being swamped with OpaServ hits. I'm also
seeing upwards of 900,000 port 137/udp netbios name service hits a
day against my "dark network" mostly due to OpaServ plus one, yet
to be determined, other malware (also not BugBear).
If you get a copy of this beast, send it to me encrypted to
my PGP key please. Thanks!
> -kc
Mike
--
Michael H. Warfield | (770) 985-6132 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!
PGP signature
More information about the Ale
mailing list