[Dshield] New Worm

Jon R. Kibler Jon.Kibler at aset.com
Tue Aug 19 14:14:11 GMT 2003


BarkerJr wrote:
> 
> I'm not really sure about that.  Symantec's page says that it sends ICMP
> pings first.  So, if your firewall blocks ICMP pings, you shouldn't get a
> 135 from it.  Am I reading too much into it?
> 

We block pings (and just about everything else) at the firewall, but we still get the 135/TCP probes from the same IP as well.

In fact the pattern appears to be:
	ping
	probe 135/TCP
	ping
	ping

But not always.

Jon R. Kibler
A.S.E.T., Inc.
Charleston, SC  USA




More information about the list mailing list