MyDoom backdoor scanning on the rise

[REN-ISAC <dodpears () INDIANA EDU>]

Dear all,

Underscoring the need to get those MyDoom infections cleaned up...

MyDoom.A[1], aka W32.Novarg.A, installs a proxy that allows TCP connections on a port in the range of 3127 to 3198. The 
backdoor permits an attacker to download and execute arbitrary files on an infected machine. MyDoom.B[2] similarly 
installs a proxy that listens on TCP ports including 3128. A new worm known as Deadhat[3], aka Vesser, exploits the 
MyDoom.A and B backdoors and is now loose in the wild. Deadhat was first seen February 7th. We're seeing a 
corresponding rise in scanning for port 3127 on Abilene. The attached document shows graphs of packet counts seen on 
Abilene router ACLs and flows seen in Abilene NetFlow data. Current activity against the router ACL counters can be 
viewed on the REN-ISAC web page:
http://ren-isac.net/.


Regards,

Doug Pearson
REN-ISAC
http://ren-isac.net
24x7 watch desk: (317)278-6630
ren-isac () iu edu

---

[1] W32/Novarg.A Virus
http://www.cert.org/incident_notes/IN-2004-01.html

[2] W32/MyDoom.B
http://www.us-cert.gov/cas/techalerts/TA04-028A.html

[3] W32.HLLW.Deadhat, aka Vesser
http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.deadhat.html
http://www.f-secure.com/v-descs/vesser.shtml

-o0o-

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Attachment: mydoom_backdoor_scanning_20040209.pdf
Description: