[Dshield] Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127

Jeff Kell jeff-kell at utc.edu
Wed Apr 21 14:23:49 GMT 2004


Charles Hamby wrote:

> Jeff,
> 
> Aside from the scanning order this sounds remarkably like a bug that 
> we're battling right now.  It's taken out about 150 or so of of our 
> hosts.  As of right now we don't know what the bug is, but we deployed a 
> honeypot yesterday to try to capture the malware and see if we can ID 
> the beast.

It appears to be a Gaobot derivative.  Changes the home page to be
<semi-random-chars>.t.muxa.cc.  Google for muxa.cc and you'll get some 
pointers.

Jeff




More information about the list mailing list