[Intrusions] MyDoom.M/O Registration Process
Merton Campbell Crockett
mcc at CATO.GD-AIS.COM
Tue Jul 27 00:52:19 GMT 2004
One of our systems was compromised by the MyDoom.M/O worm today. The
system has been disconnected from the network while IT attempts to remove
the worm from the system.
The system has been disconnected from the network for 7 hours. I am still
seeing external systems attempting to establish connections to the
compromised system.
Has anyone identified the mechanism by which the system "registers" that
it is available for use and can be accessed on TCP port 1034?
Merton Campbell Crockett
--
BEGIN: vcard
VERSION: 3.0
FN: Merton Campbell Crockett
ORG: General Dynamics Advanced Information Systems;
Intelligence and Exploitation Systems
N: Crockett;Merton;Campbell
EMAIL;TYPE=internet: mcc at CATO.GD-AIS.COM
TEL;TYPE=work,voice,msg,pref: +1(805)497-5045
TEL;TYPE=work,fax: +1(805)497-5050
TEL;TYPE=cell,voice,msg: +1(805)377-6762
END: vcard
More information about the Intrusions
mailing list