Re: Am I the only one?

[Jim Pollard <jim.pollard () MAIL UTEXAS EDU>]

Thankfully this is all traffic I see being rejected on its way in... not out.  We normally use either MS Baseline 
Security Analyzer or GFI LanGuard  to check patchlevels.  Actually we usually use both and nmap besides to look for 
unusual services running on any and all clients.  Good luck.

Jim

James R. Pollard Jr.
Tech Staff Asst III
College of Engineering
jim.pollard () mail utexas edu
Biomedical Engineering
Campus Mail Code: C0800
University of Texas
Austin, TX 78712
Office Ph. 512. 471.4358
 "Those who danced were thought to be quite insane by those who could not hear the music." 
    Angela Monet



-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Helms, 
Sandra
Sent: Wednesday, April 14, 2004 11:38 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Am I the only one?

Hi there - we are being hit with this and are being swamped trying to
locate instances of the worm.  Do you scan machines for windows and
virus updates?  If so, what products(s) do you use?  This is something
we have not seriously considered before; however, this new batch of
worms are insidious and users have not noticed ill-effects so they are
not reporting it. 

Sandra J. Helms
Director of Academic Computing
Bradley University
1501 W. Bradley Avenue
Peoria, IL  61625
309.677.2808
sandy () bradley edu


-----Original Message-----
From: Mark Wilson [mailto:wilsodm () AUBURN EDU] 
Sent: Wednesday, April 14, 2004 10:25 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Am I the only one?


We have seen this extensively on our network.  It is the AgoBot/GaoBOt
worm/trojan or varient.  It also goes by the name polybot.  Nasty little
booger.  It installs a backdoor and scans for "blank" or weak admin
passwords, various MS vulnerabilities, and DameWare (port 6129)
weaknesses.  It kills most anti-virus processes/programs. Seems to be
particularly bad on University networks.

If you do an nmap scan, you will find high ports open.  Most times when
you telnet into the trojan port (BTW, it changes on each infection), you
will get: 220 Bot Server (Win32)

It has remote command and DOS functionality.
Useful Links:
http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?V
Name=WORM_AGOBOT.HN&VSect=T

http://vil.nai.com/vil/content/v_101100.htm
http://www.lurhq.com/phatbot.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.ul.ht
ml



Mark Wilson
GCIA, CISSP #53153
Network Security Specialist
Auburn University
(334) 844-9347

> > > jim.pollard () MAIL UTEXAS EDU 4/14/2004 9:50:18 AM >>>
Or did I miss it on Bugtraq?  Recently I've noticed a scan pattern in my
logs and wonder if anyone might recognize it as either a known virus or
some kiddie scanning tool looking for virus backdoors?  There are some
variations... occasionally port 80 and 8080 are included.

Service: 1025 (tcp/1025) (net2fw:DROP:,eth1,none) - 2 packets (take your
pick... either network blackjack or an assortment of viruses and
backdoors)
         Service: 2745 (tcp/2745) (:net2fw:DROP:,eth1,none) - 2 packets
(Beagle virus)
         Service: 3127 (tcp/3127) (:net2fw:DROP:,eth1,none) - 2 packets
(MyDoom virus)
         Service: 6129 (tcp/6129) (net2fw:DROP:,eth1,none) - 3 packets
(W32.Mockbot) also Dameware


Thanks!

Jim

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.