Educause Security Discussion mailing list archives
Re: MyDoom backdoor scanning on the rise
From: "Vaughn, Randal L." <Randy_Vaughn () BAYLOR EDU>
Date: Mon, 9 Feb 2004 12:48:46 -0600
Lurhq cautions against MyDoom.C here: http://www.lurhq.com/mydoom-c.html Randal Vaughn Baylor University ________________________________ From: The EDUCAUSE Security Discussion Group Listserv on behalf of REN-ISAC Sent: Mon 2/9/2004 12:30 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] MyDoom backdoor scanning on the rise Dear all, Underscoring the need to get those MyDoom infections cleaned up... MyDoom.A[1], aka W32.Novarg.A, installs a proxy that allows TCP connections on a port in the range of 3127 to 3198. The backdoor permits an attacker to download and execute arbitrary files on an infected machine. MyDoom.B[2] similarly installs a proxy that listens on TCP ports including 3128. A new worm known as Deadhat[3], aka Vesser, exploits the MyDoom.A and B backdoors and is now loose in the wild. Deadhat was first seen February 7th. We're seeing a corresponding rise in scanning for port 3127 on Abilene. The attached document shows graphs of packet counts seen on Abilene router ACLs and flows seen in Abilene NetFlow data. Current activity against the router ACL counters can be viewed on the REN-ISAC web page: http://ren-isac.net/. Regards, Doug Pearson REN-ISAC http://ren-isac.net 24x7 watch desk: (317)278-6630 ren-isac () iu edu --- [1] W32/Novarg.A Virus http://www.cert.org/incident_notes/IN-2004-01.html [2] W32/MyDoom.B http://www.us-cert.gov/cas/techalerts/TA04-028A.html [3] W32.HLLW.Deadhat, aka Vesser http://securityresponse.symantec.com/avcenter/venc/data/w32.hllw.deadhat.html http://www.f-secure.com/v-descs/vesser.shtml -o0o- ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- MyDoom backdoor scanning on the rise REN-ISAC (Feb 09)
- <Possible follow-ups>
- Re: MyDoom backdoor scanning on the rise Vaughn, Randal L. (Feb 09)