[DShield] 3127/tcp by Doomjuice (Kaspersky) - MyDoom takeover?

Doug White doug at clickdoug.com
Mon Feb 9 20:25:01 GMT 2004


Here is a capture on a 3127 probe.
Apparently from a dynamic IP in Australia.
Packets are varying lengths.

Anyone know how to translate these, I would appreciate the information



======================================
Stop spam on your domain, Anti-spam solutions
http://www.clickdoug.com/mailfilter.cfm
For hosting solutions http://www.clickdoug.com
======================================
Aspire to Inspire before you Retire or Expire!


----- Original Message ----- 
From: "Erik van Straten" <emvs.dsh.3FB4CC72 at cpo.tn.tudelft.nl>
To: <list at dshield.org>
Sent: Monday, February 09, 2004 12:46 PM
Subject: [DShield] 3127/tcp by Doomjuice (Kaspersky) - MyDoom takeover?


: List,
:
: I've observed a rapid increase in 3127/tcp scans from seemingly
: random IP's. They're sequentially scanning our IP's, bottom-up.
:
: These seem to match Kasperky's Doomjuice (published ~ 2 hours ago):
: http://www.viruslist.com/eng/alert.html?id=930701
:
: Details, incl. address generation algorithm:
: http://www.viruslist.com/eng/viruslist.html?id=930677
:
: Supposedly it also causes a DDoS agains Microsoft.
:
: Note that this one seems to differ from Symantec's Deadhat:
: http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.deadhat.html
:
: According to Symantec's description, Deadhat scans 3127/tcp, 3128/tcp
: and 1080/tcp (I've seen one or two of those).
:
: Regards,
: Erik van Straten
:
: _______________________________________________
: list mailing list
: list at dshield.org
: To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
:
:
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: TCP_Port_3127_Capture.txt
Url: http://www.dshield.org/pipermail/list/attachments/20040209/70665d58/TCP_Port_3127_Capture.txt


More information about the list mailing list