[Dshield] port 11768

Joe Stewart jstewart at lurhq.com
Thu Jan 13 16:21:46 GMT 2005

On Wednesday 12 January 2005 12:39 pm, Esler, Joel - Contractor wrote:
> Apparently it's worm related. Dipnet or oddbob... The .d variant... 
> I got this information from a third party so...

This is indeed the case. It is an LSASS-exploiting worm which spreads an 
IRC bot. Nothing new being exploited here. The port 11768 traffic is so 
the bot can detect if a host is already infected, and if so, with what 
version. The traffic should be moving to port 15118 next.

I've posted a brief analysis of it here:


Joe Stewart, GCIH 
Senior Security Researcher
LURHQ http://www.lurhq.com/

More information about the list mailing list