[Dshield] New Variant of Linkbot

Paul F Dixon pdixon at rwsc.com
Fri Oct 7 09:11:27 GMT 2005


Yes,

It's a hardly-ever used registered port.

It's registered to: Cliff Neuman's Prospero Directory Service

I'm sure it's not related but here's the scoop on Prospero:
   Cliff Neuman described Prospero. It follows a file system model, rather
   than the hypertext model. It is built on UDP for speed. It has the
   notion of a Directory which contains links to other objects (other
   directories or files). It returns the link to the information object and
   then automatically retrieves the file by another mechanism by the
   appropriate access method (Archie, WAIS, nntp, WWW - soon!, NFS, ftp
   etc.) It has been used very successfully to access the archie database.
   Cliff stated that he expected to be able to use X.500 to translate
   between the document ID and how to get the document.

   With Prospero the user has his own view of the global information base
   (or has a view built for him). Cliff thought there should be multiple
   name spaces - but the difficulty would be that these would need
   representing near the top of the directory tree. With multiple user
   chosen views - this would be difficult to manage. Also two users might
   refer to an object by different handles which would be relative to their
   individual name spaces - difficult when passing references (say in a
   mail message) from one person to the other.

More on the virus.  I'll get a compressed, protected version as soon as I
can.  I've done more evaluation on our Firewall and it seems that this may
have been a timebomb - I have records of several machines starting to talk
to 207.71.106.173 at appx. the same time.  Maybe we've had the virus
banging around for some time.

Paul Dixon




                                                                           
             Jeff Kell                                                     
             <jeff-kell at utc.ed                                             
             u>                                                         To 
             Sent by:                  General DShield Discussion List     
             list-bounces at list         <list at lists.dshield.org>            
             s.dshield.org                                              cc 
                                                                           
                                                                   Subject 
             10/06/2005 06:13          Re: [Dshield] New Variant of        
             PM                        Linkbot                             
                                                                           
                                                                           
             Please respond to                                             
              General DShield                                              
              Discussion List                                              
             <list at lists.dshie                                             
                  ld.org>                                                  
                                                                           
                                                                           




Paul F Dixon wrote:

> This is a fast moving bug.  We're able to detect it by tailing our fwlogs
> and grepping out port 191 calls to 207.71.106.173.

Port 191?

Jeff
_________________________________________
Using .Net? Need to know more about .Net Security?
http://isc.sans.org/banner_count.php?dest=dotnet

_______________________________________________
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list





More information about the list mailing list