worm found on ccm

ciscoforum · ‎10-20-2005

Our publisher got worm. It keep sending huge traffic out with the tcp port 445. It's CCM 3.33sr4a with 2000-2-6. Based on the symptom it looks like sasser. it requires ms04-011, but 2000-2-6 contains that already. CCM is still working fine now. We'll patch it with the latest patch and CSA. Weird is the sub is not affected.

Besides upgrade patch, what else can we do to kill the worm?

yshraybman · ‎10-20-2005

go to trendmicro.com. they have free online scan and it is very good.

thisisshanky · ‎10-20-2005

Also, at symantec.com you have sasser removal tool (a small exe) you download from the website and run it locally and it will scan the harddrive for affected files and remove it.

Sankar Nair
UC Solutions Architect
Pacific Northwest | CDW
CCIE Collaboration #17135 Emeritus

Steven Smith · ‎10-20-2005

You could also use the stinger tool. I would highly recommend upgrading the OS to the latest version and then performing a scan.

http://vil.nai.com/vil/stinger/

ROBERT Clark · ‎10-20-2005

Are you sure it is a worm?

Do you have NetBios over TCP disabled?

If the client has NBT disabled, it will always try to connect to the server at port 445 only. If the server answers on port 445, the session will be established and continue on that port. If it doesn't answer, the session will fail completely.

-Rob

bhattacharya.s · ‎10-25-2005

Please go ahead and put 2000.2.7 SR7. That should take care of all future issues too.