Educause Security Discussion mailing list archives
Re: symantec targetting worm
From: Mike Iglesias <iglesias () UCI EDU>
Date: Fri, 29 Dec 2006 15:53:32 -0800
robin wrote:
Some subnets here are having a bit of trouble with a worm that in particular seems to be going for tcp port 2967 which we would guess is aiming for the SAVCE managed client port. In some cases the worm or worms also goes for tcp port 139,445 and/or 5900. Anyone seeing this and have some advice? Have worms been id'd other than these at other edu's?
We've been seeing the SAVCE worm for about a week now. Most of the attacks have come from other .edu sites. The worm we have seen sends several packets to port 2967, with lots of ASCII characters as padding. The third packet contains binary data at the begining, which is probably the nasty payload. We've see two different versions of this payload, but the first 8 bytes appear to be the same in both of them. The bytes are (in hex) eb060d101e506d6d, so if you have an IDS you can write a signature to find that pattern near the begining of the data portion of the packet. One variant of the worm opens port 8555 as a communications channel for the attackers to get cmd.exe access to the system. If you find a system with both ports 2967 and 8555 open, it's infected and should be removed from your network. Some variants try to connect to a command&control system using port 21881 as the destination port. We've seen some of this as well, to a system in Taiwan (140.131.142.236). That system was not responding on that port the last time I checked. -- Mike Iglesias Email: iglesias () uci edu University of California, Irvine phone: 949-824-6926 Network & Academic Computing Services FAX: 949-824-2069
Current thread:
- symantec targetting worm robin (Dec 28)
- <Possible follow-ups>
- Re: symantec targetting worm David Gillett (Dec 28)
- Re: symantec targetting worm Mike Iglesias (Dec 29)