[Dshield] Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127
matthias at vorlon2.dyndns.org
Wed Apr 21 06:33:02 GMT 2004
On 21.04.2004 04:02, Jeff Kell wrote:
> * listens on two random, high-numbered tcp ports
> * picks a random address within the infected machine's /8 subnet
> * scans (in order) 80, 6129, 1025, 3127 (all tcp) from ephemeral
> source ports (the source port is not fixed).
That sounds like an Agobot/Gaobot/... variant, we had quite a number of
infected hosts here too. I found two different variants, it took days
till the commonly used virus scanners were able to detect both; samples
were submitted. It seems like the number of tried exploits by the worm
is growing, lately more ports have been scanned than before.
More information about the list