[Intrusions] 1023 or 1022 for sasser
Nick FitzGerald
nick at virus-l.demon.co.uk
Sun Aug 1 05:10:52 GMT 2004
lola marais wrote:
> I posted a question to the mcafee support team regarding a suspected typing
> error but I still do not have confirmation as to whether or not this is an
> error.
> According to the web page
> http://vil.nai.com/vil/content/v_125091.htm,
> In the section "Method Of Infection" it is mentioned.
> >It creates a remote shell on TCP port 1023.
> Is this correct or a typo, is it not meant to be 1022?
>
> Does the Sasser E virus create a shell on TCP 1023 or TCP 1022
I think that's a typo.
It's shell is on port 1022 (as that same description says _twice_ in
earlier paragraphs) and its (t)ftp server on 1023 (as is mentioned both
in that section and others). A few other AV references that agree with
this analysis:
http://www3.ca.com/securityadvisor/virusinfo/virus.aspx?ID=39087
http://www.sophos.com/virusinfo/analyses/w32sassere.html
http://www.sarc.com/avcenter/venc/data/w32.sasser.e.worm.html
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
More information about the Intrusions
mailing list