[Dshield] New tool making the rounds: MyDoom scanner

Pete Cap peteoutside at yahoo.com
Mon Feb 9 20:13:33 GMT 2004


Ken,
 
By all means, share.
I'm very interested in getting a look at these.
 
Regards,

Pete

Ken Eichman <keichman at cas.org> wrote:
> From: "Bjorn Stromberg" 
> Looks like there is a new tool making the rounds this weekend.
>
> I haven't got any packet captures but it looks like it's crawling IP
> Addresses and probing ports 3128 and 1080.
> I've got four instances of it sending SYN packets twice and one instance of
> it sending in groups of three. I would guess these are spammers / crackers
> looking for new open proxies to do their nefarious deeds.
> I'll open up my packet logger and see if I can catch what they're saying.

Bjorn,
I've been told by the SANS incident handler that this is the DeadHat.A worm.
The packet captures are around 150k although according to Trend's website
the worm itself is only 55k. I have a bunch of packet captures here if anyone's
interested. Ken

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list

---------------------------------
Do you Yahoo!?
Yahoo! Finance: Get your refund fast by filing online


More information about the list mailing list