[unisog] BugBear Worm
paw at noh.ucsd.edu
Fri Oct 4 05:55:59 GMT 2002
Well over 95% of the UDP 137 scanning I've seen here is Scrup/Oraserv - I'm
not sure I've seen _any_ Bugbear yet (no smtp involvement that I've seen).
But, yeah - kill 'em all.
Network Security Manager
UCSD ACS/Network Operations
paw at ucsd.edu
6F3A AE75 F931 3A19 D207 19F3 DB9B 29DC 2C3F E015
Peter Van Epp <vanepp at sfu.ca> writes:
I just got a complaint from offsite about a bugbear infected email
which looks to have a forged From: address at SFU (but no SFU machines showing
in headers). I hope this isn't another Klez like thing that forges From:
lines (luckily I remember seeing a mail virus scanner update notice this morning
on our changes list which hopefully catches this outbound).
The machines I have seen scanning on 137 don't appear to be sending
email, so perhaps I've been whacking some other varient too (I however am an
equal opertunity whacker, you scan I whack :-)).
Peter Van Epp / Operations and Technical Support
Simon Fraser University, Burnaby, B.C. Canada
> I've seen heavy udp port 137 scanning since Friday nite. I'm not sure what
> we've seen is BugBear or W32/Scrup.worm or W32.Opaserv.worm.
> Mike Iglesias Internet: iglesias at draco.acs.uci.edu
> University of California, Irvine phone: 949-824-6926
> Network & Academic Computing Services FAX: 949-824-2069
More information about the unisog