Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Detecting worms or viruses with combination of events

Dear list,

I need some advice.

I have a list of internal network addresses that have triggered the following events at some period in time.

The events are triggered when an internal-address is communicating with another internal-address

I am aware that when Nimda or Nachi worms are detected at the console then there are several events that are triggered all together.

Does the combination of the event below mean anything special?

Can these combinations of events be attributed to any worm or virus?

Are there other combinations of events, other than the one for Nimda or Nachi that mean anything special?

1.

Windows Locator Service Overflow ID: 3314

Windows Registry Access ID: 3306

Windows Startup Folder Remote Access ID: 3326

2.

Windows Locator Service Overflow ID: 3314

Samba call_trans2open Overflow ID: 3325

3.

Windows Locator Service Overflow ID: 3314

Samba call_trans2open Overflow ID: 3325

Windows Startup Folder Remote Access ID: 3326

5 REPLIES
New Member

Re: Detecting worms or viruses with combination of events

I guess these are normal dude, I mean they are no harmful...

New Member

Re: Detecting worms or viruses with combination of events

I like you answer, but why do you think they are normal?

New Member

Re: Detecting worms or viruses with combination of events

These events are all triggered in my environment by users connecting to our servers using Remote Desktop Connection in XP. For my environment this is normal benign traffic from certain segments i.e. server support segment.

New Member

Re: Detecting worms or viruses with combination of events

Can you perhaps explain how remote desktop data can trigger this event and why

New Member

Re: Detecting worms or viruses with combination of events

"Windows Locator Service Overflow ID: 3314

Windows Registry Access ID: 3306

Windows Startup Folder Remote Access ID: 3326"

I set IP Logging for these signatures and captured about 100 ... I used ethereal to manually go through each one and ALL of them were SMS traffic... either the SMS client logging on, pulling info from the domain contollers... sms client communicating with the logon/distribution servers... sms servers communicating with the clients... watching the traffic, sms sure is a chatty application... it has set off several signatures...

205
Views
0
Helpful
5
Replies