[unisog] BugBear Worm

Pat Wilson paw at noh.ucsd.edu
Fri Oct 4 05:55:59 GMT 2002


Well over 95% of the UDP 137 scanning I've seen here is Scrup/Oraserv - I'm
not sure I've seen _any_ Bugbear yet (no smtp involvement that I've seen).

But, yeah - kill 'em all.


Pat Wilson
Network Security Manager
UCSD ACS/Network Operations
paw at ucsd.edu
6F3A AE75 F931 3A19 D207 19F3 DB9B 29DC 2C3F E015

Peter Van Epp <vanepp at sfu.ca> writes:

		I just got a complaint from offsite about a bugbear infected email 
	which looks to have a forged From: address at SFU (but no SFU machines showing
	in headers). I hope this isn't another Klez like thing that forges From: 
	lines (luckily I remember seeing a mail virus scanner update notice this morning
	on our changes list which hopefully catches this outbound).
		The machines I have seen scanning on 137 don't appear to be sending 
	email, so perhaps I've been whacking some other varient too (I however am an
	equal opertunity whacker, you scan I whack :-)).

	Peter Van Epp / Operations and Technical Support 
	Simon Fraser University, Burnaby, B.C. Canada


	> 
	> I've seen heavy udp port 137 scanning since Friday nite.  I'm not sure what
	> we've seen is BugBear or W32/Scrup.worm or W32.Opaserv.worm.
	> 
	> 
	> Mike Iglesias                          Internet:    iglesias at draco.acs.uci.edu
	> University of California, Irvine       phone:       949-824-6926
	> Network & Academic Computing Services  FAX:         949-824-2069
	> 
	> 
	> 



More information about the unisog mailing list