[unisog] New virus or is it just our turn :-)

Jens Haeusser jens.haeusser at ubc.ca
Fri Apr 2 19:32:56 GMT 2004

Peter Van Epp wrote:

>	Yesterday morning there was a huge spike in scanning for ports 
>80, 445, 1025, 3127 and 6129. While this seems to me to be somewhat the usual
>suspects for previous viri (except for the volume seen here), this morning 
>there are about a dozen or so machines scanning for port 135 (and apparantly 
>the webdav hole from one of our web server operator's logs) which are just 
>about to leave the network :-). Is there a new virus I haven't heard of 
>running or has it just become our turn for one of the old ones?
>Peter Van Epp / Operations and Technical Support 
>Simon Fraser University, Burnaby, B.C. Canada
We are seeing the same thing at UBC- perhaps it is BC Universities' 
turn... Most of the PCs we've managed to visit have been identified by 
McAfee as running PolyBot. These scans seem to be from the latest 
version of Agobot/Polybot/Phatbot/etc - see the excellent description at 
LURHQ - http://www.lurhq.com/phatbot.html . SANS' Internet Storm Center 
has also noticed these new scans- 
http://isc.sans.org/diary.html?date=2004-04-01 .

Jens Haeusser
Manager, Information Security Office
University Of British Columbia

More information about the unisog mailing list