[Dshield] New tool making the rounds: MyDoom scanner

Ken Eichman keichman at cas.org
Mon Feb 9 18:45:27 GMT 2004


> From: "Bjorn Stromberg" <bjorn at thechemistrylab.com>
> Looks like there is a new tool making the rounds this weekend.
>
> I haven't got any packet captures but it looks like it's crawling IP
> Addresses and probing ports 3128 and 1080.
> I've got four instances of it sending SYN packets twice and one instance of
> it sending in groups of three. I would guess these are spammers / crackers
> looking for new open proxies to do their nefarious deeds.
> I'll open up my packet logger and see if I can catch what they're saying.

Bjorn,
I've been told by the SANS incident handler that this is the DeadHat.A worm.
The packet captures are around 150k although according to Trend's website
the worm itself is only 55k. I have a bunch of packet captures here if anyone's
interested. Ken




More information about the list mailing list