[Intrusions] MyDoom.M/O Registration Process
Joe Stewart
jstewart at lurhq.com
Wed Jul 28 14:00:02 GMT 2004
On Tuesday 27 July 2004 6:06 pm, Fitton, Robert (Bob) wrote:
> I observed the same phenomenon internally: infected machines on
> different VLANs were attempting to reach each other on tcp 1034 (but
> being blocked by inter-VLAN access lists). How did they learn about
> each other? Port 1034 is NOT open either incoming or outgoing
> through the firewalls.
I've written up an analysis of how the whole MyDoom/Zincite/Zindos
system works. It explains how the infected machines know about each
other.
http://www.lurhq.com/zindos.html
-Joe
--
Joe Stewart, GCIH
Senior Security Researcher
LURHQ http://www.lurhq.com/
More information about the Intrusions
mailing list