Educause Security Discussion mailing list archives
MyDoom backdoor scanning on the rise
From: REN-ISAC <dodpears () INDIANA EDU>
Date: Mon, 9 Feb 2004 13:30:49 -0500
Dear all, Underscoring the need to get those MyDoom infections cleaned up... MyDoom.A[1], aka W32.Novarg.A, installs a proxy that allows TCP connections on a port in the range of 3127 to 3198. The backdoor permits an attacker to download and execute arbitrary files on an infected machine. MyDoom.B[2] similarly installs a proxy that listens on TCP ports including 3128. A new worm known as Deadhat[3], aka Vesser, exploits the MyDoom.A and B backdoors and is now loose in the wild. Deadhat was first seen February 7th. We're seeing a corresponding rise in scanning for port 3127 on Abilene. The attached document shows graphs of packet counts seen on Abilene router ACLs and flows seen in Abilene NetFlow data. Current activity against the router ACL counters can be viewed on the REN-ISAC web page: http://ren-isac.net/. Regards, Doug Pearson REN-ISAC http://ren-isac.net 24x7 watch desk: (317)278-6630 ren-isac () iu edu --- [1] W32/Novarg.A Virus http://www.cert.org/incident_notes/IN-2004-01.html [2] W32/MyDoom.B http://www.us-cert.gov/cas/techalerts/TA04-028A.html [3] W32.HLLW.Deadhat, aka Vesser http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.deadhat.html http://www.f-secure.com/v-descs/vesser.shtml -o0o- ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Attachment:
mydoom_backdoor_scanning_20040209.pdf
Description:
Current thread:
- MyDoom backdoor scanning on the rise REN-ISAC (Feb 09)
- <Possible follow-ups>
- Re: MyDoom backdoor scanning on the rise Vaughn, Randal L. (Feb 09)