[unisog] Possible new virus running

Doug Pearson dodpears at indiana.edu
Wed Feb 2 02:21:49 GMT 2005


FWIW, attached are three graphs:

- TCP/445 hits in the REN-ISAC darknet (views to commericial Internet and Abilene) since 01/01. On 01/31 it reached a peak not seen since 01/03.

- TCP/445 sources in the darknet since 01/01, also reaching a peak not seen since 01/03.

- Abilene traffic on TCP/445, seems to be somewhat stable over the past 5 days - at least there's one good sign (although the levels are high!)

Abilene traffic on various common application and threat vector ports can viewed at http://www.ren-isac.net/monitoring.cgi. We're working to get the darknet stats available on the web but are not there yet.

Doug Pearson
Research and Education Networking ISAC
24x7 Watch Desk: +1(317)278-6630, ren-isac at iu.edu
http://www.ren-isac.net




At 01:29 PM 2/1/2005 -0800, Peter Van Epp wrote:
>        I've been holding off hoping one of my folks would identify what they
>got hit by, but so far no reports. We had around 25 machines (about half modems
>and wireless machines) scanning on 445 this morning. Its blocked internally so 
>it didn't make it off site and they are now all whacked, and there have been
>a trickle through the day (likely laptops brought on to the network and 
>infecting their surroundings). The first two who responded didn't find 
>anything much (spyware in one case, 5 viruses in the other), one reformated 
>the other started scanning again when re enabled. It may be this:
>
>http://www.eweek.com/article2/0,1759,1756823,00.asp  
>
>which seems to be the virus de jure which may or may not be called 
>W32/Mugly.i at MM which I have also been advised is running around (both from 
>folks that aren't infected though).
>
>Peter Van Epp / Operations and Technical Support 
>Simon Fraser University, Burnaby, B.C. Canada
>_______________________________________________
>unisog mailing list
>unisog at lists.sans.org
>http://www.dshield.org/mailman/listinfo/unisog
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 20050201_tcp_dst_445_darknet_sources.png
Type: image/png
Size: 6143 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20050201/d16e397b/20050201_tcp_dst_445_darknet_sources-0002.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 20050201_tcp_dst_445_abilene_netflow.png
Type: image/png
Size: 81690 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20050201/d16e397b/20050201_tcp_dst_445_abilene_netflow-0002.png
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 20050201_tcp_dst_445_darknet_hits.png
Type: image/png
Size: 5199 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20050201/d16e397b/20050201_tcp_dst_445_darknet_hits-0002.png


More information about the unisog mailing list