[69399] in North American Network Operators' Group
Re: worm information
daemon@ATHENA.MIT.EDU (Jeff Workman)
Sat Apr 10 13:54:02 2004
Date: Sat, 10 Apr 2004 13:53:15 -0400
From: Jeff Workman <jworkman@pimpworks.org>
To: "'nanog list'" <nanog@merit.edu>
In-Reply-To: <B0007605104@mail.bblabs.net>
Errors-To: owner-nanog-outgoing@merit.edu
--On Saturday, April 10, 2004 8:35 AM -0700 "Christopher J. Wolff"
<chris@bblabs.com> wrote:
>
> Hello,
>
> Over the last few days I've seen a number of hosts attempt to initiate TCP
> connections to the following ports in sequence.
>
> 80
> 139
> 445
> 6129
> 3127
> 1025
> 135
> 2745
> ...repeat.
>
There's a number of viruses/worms in the wild that are programmed to
exploit various M$ vulnerabilities:
80 - IIS WebDAV (MS03-007)and any number of other IIS vulnerabilities
135 - DCOM RPC (MS03-026)
445 - RPC locator (MS03-001) and Workstation service (MS03-049)
139 - Unpassworded NetBIOS shares
I'm not sure about the other ports, I *think* 1025 has something to do with
MS RPC as well, but don't quote me on that.
What you are probably seeing, at least in the cases involving the ports I
listed above, is one of the many W32.Gaobot (Symantec)[1] variants.
-J
[1]
http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.um.htm
--
Jeff Workman | jworkman@pimpworks.org | http://www.pimpworks.org
