[Dshield] New Variant of Linkbot

Paul F Dixon pdixon at rwsc.com
Thu Oct 6 23:21:16 GMT 2005


To all,

We've been chasing down a virus in our facilities that looks a lot like the
w32.linkbot.m
Found at:
http://securityresponse.symantec.com/avcenter/venc/data/w32.linkbot.m.html

Here are some particular findings about this bug.

This is a fast moving bug.  We're able to detect it by tailing our fwlogs
and grepping out port 191 calls to 207.71.106.173.

207.71.106.173 is an active machine on the internet:
http://www.dnsstuff.com/tools/ping.ch?ip=202.71.106.173

Traceroute:
http://www.dnsstuff.com/tools/ping.ch?ip=202.71.106.173

ARIN - Whois:
http://www.dnsstuff.com/tools/whois.ch?ip=202.71.106.173


Is anyone having the same probs?

Paul Dixon
Manager, Network Operations & Information Security
Rockwell Scientific Company LLC
pdixon-at-rwsc.com



More information about the list mailing list