[Dshield] looks like a new virus via spaming

John D. lists at webcrunchers.com
Wed Aug 20 02:32:00 GMT 2003


>They also come in (the pifs and scrs) in zips.  So if your scanner doesn't
>open those zips, they'll pass right on through.  We are also in the middle
>of confirming that the most recent ones are using random address book /
>directory addresses as its originator address.  That will compound the
>problem of sourcing an infection.

actually,  it shouldn't be that hard to find them.   Just take a look at your spam...   most would come from bit named ISP's.   These are the Infected machines...  the trick is to ping them,  if active,  then scan them,  and see what port is "listening"....  most likely some "unknown" port.   First received line would have the IP address of the infected victum's machine.  

I'm assuming the SoBig trojan would be listening to some random port number,  but it shouldn't be that hard to find.   Then I would try to "telnet" into it ans see what kind of response it gives...    But to really know for sure,  I would want to experiment on an infected machine.

Any ideas?    Or am I way off base here....

John





More information about the list mailing list