|reply to Mark |
Re: SMB Service - Port 445
Deloader worm and update on tcp/445:
TCP port 445 is used for *direct* Microsoft Networking access. More specifically, it enables direct TCP/IP access to Microsoft Networking functions WITHOUT the need for a Netbios layer. This service is only implemented in the more recent verions of Windows (e.g. Windows 2000 and XP).
Hosts which are generating port probing to this port are usually worm infected. The most recent worm released with this pattern is the W32.Deloader worm (see Below). Most anti-virus vendors didn't release anti-virus definitions for 2-3 days after the worm appeared, causing even anti-virus protected systems from being infected.
Additionally, because Deloader uses a much more extensive password list in it's password crack routine we are seeing it being more prolific than earlier worms using this same technique. We are also seeing firewall-protected networks becoming infected as a result of mobile laptops, AOL connections, and other VPN connections in much the same manner as the Opaserv worm, see: udp/137
This port is also a common target for Warez hackers who seek to turn your PC into a public file server. If anti-virus scans don't find a problem, you'll have to do a manual forensic analysis to identify possible Pubstro compromise as show here: mNW Pubstro Analysis Guide
The Internet Neighborhood Watch