[Intrusions] MyDoom.M/O Registration Process
Fitton, Robert (Bob)
Rfitton at laborready.com
Tue Jul 27 22:06:17 GMT 2004
I observed the same phenomenon internally: infected machines on
different VLANs were attempting to reach each other on tcp 1034 (but
being blocked by inter-VLAN access lists). How did they learn about
each other? Port 1034 is NOT open either incoming or outgoing through
the firewalls.
Bob Fitton
Labor Ready, Inc.
Tacoma, WA
-----Original Message-----
From: intrusions-bounces at lists.sans.org
[mailto:intrusions-bounces at lists.sans.org] On Behalf Of Merton Campbell
Crockett
Sent: Monday, July 26, 2004 5:52 PM
To: intrusions at lists.sans.org
Subject: [Intrusions] MyDoom.M/O Registration Process
One of our systems was compromised by the MyDoom.M/O worm today. The
system has been disconnected from the network while IT attempts to
remove
the worm from the system.
The system has been disconnected from the network for 7 hours. I am
still
seeing external systems attempting to establish connections to the
compromised system.
Has anyone identified the mechanism by which the system "registers" that
it is available for use and can be accessed on TCP port 1034?
Merton Campbell Crockett
--
BEGIN: vcard
VERSION: 3.0
FN: Merton Campbell Crockett
ORG: General Dynamics Advanced Information
Systems;
Intelligence and Exploitation Systems
N: Crockett;Merton;Campbell
EMAIL;TYPE=internet: mcc at CATO.GD-AIS.COM
TEL;TYPE=work,voice,msg,pref: +1(805)497-5045
TEL;TYPE=work,fax: +1(805)497-5050
TEL;TYPE=cell,voice,msg: +1(805)377-6762
END: vcard
_______________________________________________
Intrusions mailing list
Intrusions at lists.sans.org
http://www.dshield.org/mailman/listinfo/intrusions
More information about the Intrusions
mailing list