Similar to an earlier post, we are seeing another worm. This one uses the process name wmediaplayer.exe
and seems to be spreading using weak or nonexistant administrator account passwords. Infected machines also appear to be scanning other hosts on ports 135, 139 and 445. Suspiscious keys in HKLMSoftwareWindowsCurrentVersionRun refer to executable name.
As usual, none of the antivirus vendors have signatures for this yet.
It’s just another day on the Internet. I’m not sure if it was someone on this campus that reported it, but the DDoS mentioned at ISC was also seen here.