[Intrusions] MyDoom.M/O Registration Process
Timothy Chase
timothychase at gmail.com
Wed Jul 28 14:39:56 GMT 2004
Joe,
It looks like that piece will be particularly helpful. I have gotten
a tiny bit of traffic on 1034, but I am not seeing the widespread
scanning which I expected. Your piece helps to explain this as well.
Tim
On Wed, 28 Jul 2004 10:00:02 -0400, Joe Stewart <jstewart at lurhq.com> wrote:
> On Tuesday 27 July 2004 6:06 pm, Fitton, Robert (Bob) wrote:
> > I observed the same phenomenon internally: infected machines on
> > different VLANs were attempting to reach each other on tcp 1034 (but
> > being blocked by inter-VLAN access lists). How did they learn about
> > each other? Port 1034 is NOT open either incoming or outgoing
> > through the firewalls.
>
> I've written up an analysis of how the whole MyDoom/Zincite/Zindos
> system works. It explains how the infected machines know about each
> other.
>
> http://www.lurhq.com/zindos.html
>
> -Joe
>
> --
> Joe Stewart, GCIH
> Senior Security Researcher
> LURHQ http://www.lurhq.com/
>
>
> _______________________________________________
> Intrusions mailing list
> Intrusions at lists.sans.org
> http://www.dshield.org/mailman/listinfo/intrusions
>
More information about the Intrusions
mailing list