|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
[Full-Disclosure] Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127
From: Honza Vlach (janus
volny.cz)
Date: Thu Apr 22 2004 - 03:45:42 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi,
we've experienced this worm too, and disinfected it as a new variant of
Agobot (Gaobot). Basically it exploits poorly protected windows shared,
RCP Dcom bug in windows etc. (most of the people infected had admin/admin
login/passwords on their computers with default C$ share. Combine this
with heavily unpatched system and Agobot can pick an attack vector
according to it's current mood :-)
By the way, it also acts as an IRC backdoor, which makes infected
computers zombies.
more info at:
http://www.mynetwatchman.com/tools/sc/Agobot.htm
http://isc.sans.org/diary.php?date=2004-04-01
http://www.sophos.com/virusinfo/analyses/w32agobotga.html
Should be detected and disinfected by major antiviruses by now.
Avast4 worked well for us.
http://www.asw.cz/i_idt_1404.html
Have a nice day,
Honza Vlach
On Wed, Apr 21, 2004 at 02:16:04AM -0700, mgotts2roads.com wrote:
> To: Jeff Kell <jeff-kellutc.edu>
> Cc: Incidents <incidentssecurityfocus.com>,
> General DShield Discussion List <listdshield.org>
> Subject: Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127
> X-Mailer: Lotus Notes Release 6.0.2CF1 June 9, 2003
> From: mgotts2roads.com
> Date: Wed, 21 Apr 2004 02:16:04 -0700
>
> >
> > Sound familiar to anyone?
> >
>
> Have not seen the particular virus/worm, but have seen scans from single
> IPs of ports 6129, 2745, 135, 445, 1025, 3127 in sequence.
>
> 6129 is default port for dameware remote control agent:
> http://isc.sans.org/port_details.php?port=6129
>
> 3127 is used by MyDoom, Novarg and variants
> http://isc.sans.org/port_details.php?isc=4359007a189bdac49792ce2e8ac2f7f0&port=3127&repax=1&tarax=2&srcax=2&percent=N&days=40
>
> I'd start with these. But it could, as always, be yet another variant.
> Lucky you.
>
> -- Mark Gottschalk
> Two Roads Professional Resources
--
() ascii ribbon campaign - against html mail
/\ - against microsoft attachments
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFAh4Y2SVzvioqX7FkRAl9CAKDuYFqgm5W3bpWLx5PtERRmXODutACgrCYa
h7ANxrbAbncxtiGZdX/QaUE=
=lOWP
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]