[unisog] worm that looks for 139, 1433 and 2967
scottf at uark.edu
Sat Feb 17 20:10:12 GMT 2007
Take your pick of any number of variants of spybot or similar botnet
varieties. They all have had new modules added in the past few
months to look for the Symantec AV vulnerability, along with VNC,
older vulnerabilities in windows, etc etc.
So I would recommend that you look at the out bound traffic tcp
traffic for a known infected host that was scanning your
network. You should be able to look at the information and find some
IP address which is acting as the C&C irc host. Using that
information you should be able to track down and block all of the
hosts that have been compromised so far.
At 12:35 PM 2/17/2007, you wrote:
>I noticed a bunch of hosts on our campus were infected yesterday
>which caused them to scan for 139,1433 and 2967. Anyone else see that?
>Anyone have any info?
>seems to me the previous round of malware that included 2967 also
>looked for 5900
>so this could be somewhat different?
>unisog mailing list
>unisog at lists.dshield.org
More information about the unisog