[unisog] I may have spoken too soon (Windows message)

Clarke Morledge chmorl at wm.edu
Fri Oct 11 14:40:25 GMT 2002


Thanks for all of your help on tracking down some details on the Windows
messaging spam.

It looks like we got bit by the method that uses Microsoft RPC (UDP
135)...

Apparently, there is more than one way to propagate "net send" type
messages. I was not aware of that before.

I do have a packet trace using the "net send" command on W2K to an
individual system whereby a few queries are sent to the NetBIOS Name
Service (UDP 137), followed by an ICMP ping, followed by the message going
out over NetBIOS Session Service (TCP 139).  But this type of scenario
does not apply to yesterday's spam....

Clarke Morledge
College of William and Mary
Information Technology - Network Engineering
Jones Hall (Room 18)
Williamsburg VA 23187
757-221-1536
chmorl at wm.edu






More information about the unisog mailing list