[unisog] New Worm?

Bob Henry bhenry at boisestate.edu
Fri Feb 1 17:39:02 GMT 2008

 We are spotting a growing list of machines sweeping several subnets
like this:

First, try a Ping:
if get a response, try 2 times
if no response, try 4 times

Next, send an NBSTAT -a packet, full of <00>  (or AA)
if no response, try 3 times

All windows boxes, none show viruses when scanned with our Symantec
Enterprise AV, no rootkits according to rootkit revealer and sophos.  8
out of 50 (or so) show up in our Facetime logs trying to phone home, so
they have adware on them.

Has anyone seen anything like this and what was your response?


Robert Henry, CISSP, GCIH
Information Security Officer
Office of Information Technology
Boise State University
bhenry at boisestate.edu

More information about the unisog mailing list