nanog mailing list archives

Re: worm information

From: Jeff Workman <jworkman () pimpworks org>
Date: Sat, 10 Apr 2004 13:53:15 -0400

--On Saturday, April 10, 2004 8:35 AM -0700 "Christopher J. Wolff"<chris () bblabs com> wrote:


Hello,

Over the last few days I've seen a number of hosts attempt to initiate TCP
connections to the following ports in sequence.

80
139
445
6129
3127
1025
135
2745
...repeat.

There's a number of viruses/worms in the wild that are programmed toexploit various M$ vulnerabilities:


80  - IIS WebDAV (MS03-007)and any number of other IIS vulnerabilities
135 - DCOM RPC (MS03-026)
445 - RPC locator (MS03-001) and Workstation service (MS03-049)
139 - Unpassworded NetBIOS shares

I'm not sure about the other ports, I *think* 1025 has something to do withMS RPC as well, but don't quote me on that.

What you are probably seeing, at least in the cases involving the ports Ilisted above, is one of the many W32.Gaobot (Symantec)[1] variants.

-J

[1]http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.um.htm

--
Jeff Workman | jworkman () pimpworks org | http://www.pimpworks.org

Current thread:

worm information Christopher J. Wolff (Apr 10)
- Re: worm information Jeff Workman (Apr 10)
  - Re: worm information Darrell Greenwood (Apr 10)
    - Re: worm information ravi pina (Apr 10)
    - RE: worm information Christopher J. Wolff (Apr 10)
    - Re: worm information ravi pina (Apr 10)
    - RE: worm information Christopher J. Wolff (Apr 10)
- Re: worm information Jack McCarthy (Apr 12)