[unisog] worm that looks for 139, 1433 and 2967

power less absolutelynopower at gmail.com
Sun Feb 18 01:13:23 GMT 2007


No. I didn't get it in my tiny little purview (that I know about ... yet)
What is the method of choice these days for collecting specimens (other than
real windows machines that get viruses)?  I have a machine that acts as a
sensor that could get a makeover into a sort of honeypot.

On 2/17/07, C. Hamby <fixer at gci.net> wrote:
>
> Sounds like it could be one of the endless
> Agobot/Phatbox/xbot-of-the-week variants.  Have you managed to recover
> any specimens?
>
> -cdh
>
> power less wrote:
> > I noticed a bunch of hosts on our campus were infected yesterday with
> > something
> > which caused them to scan for 139,1433 and 2967. Anyone else see that?
> > Anyone have any info?
> > seems to me the previous round of malware that included 2967 also looked
> > for 5900
> > so this could be somewhat different?
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > unisog mailing list
> > unisog at lists.dshield.org
> > https://lists.sans.org/mailman/listinfo/unisog
>
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sans.org/pipermail/unisog/attachments/20070217/be475f79/attachment.htm 


More information about the unisog mailing list