[DShield] 3127/tcp by Doomjuice (Kaspersky) - MyDoom takeover?

Micheal Patterson micheal at tsgincorporated.com
Mon Feb 9 20:49:58 GMT 2004



----- Original Message ----- 
From: "Erik van Straten" <emvs.dsh.3FB4CC72 at cpo.tn.tudelft.nl>
To: <list at dshield.org>
Sent: Monday, February 09, 2004 12:46 PM
Subject: [DShield] 3127/tcp by Doomjuice (Kaspersky) - MyDoom takeover?


> List,
>
> I've observed a rapid increase in 3127/tcp scans from seemingly
> random IP's. They're sequentially scanning our IP's, bottom-up.
>
> These seem to match Kasperky's Doomjuice (published ~ 2 hours ago):
> http://www.viruslist.com/eng/alert.html?id=930701
>
> Details, incl. address generation algorithm:
> http://www.viruslist.com/eng/viruslist.html?id=930677
>
> Supposedly it also causes a DDoS agains Microsoft.
>
> Note that this one seems to differ from Symantec's Deadhat:
>
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.deadhat.html
>
> According to Symantec's description, Deadhat scans 3127/tcp, 3128/tcp
> and 1080/tcp (I've seen one or two of those).
>
> Regards,
> Erik van Straten
>

Since 00:01 this morning, I've had 11219 attempts on port 3127 from random
IP's. Where I've also had 522 for port 3128 and 1080 each in matched sets of
IP's.

--

Micheal Patterson
TSG Network Administration
405-917-0600

Confidentiality Notice:  This e-mail message, including any attachments, is
for the sole use of the intended recipient(s) and may contain confidential
and privileged information. Any unauthorized review, use, disclosure or
distribution is prohibited. If you are not the intended recipient, please
contact the sender by reply e-mail and destroy all copies of the original
message.




More information about the list mailing list