Educause Security Discussion mailing list archives

Re: Sobig.f update cycle this afternoon

From: Marty Hoag <Marty.Hoag () NDSU NODAK EDU>
Date: Fri, 22 Aug 2003 15:29:15 -0500

   Of course we may not be out of the woods if the
following is true and used:

Sobig.F also opens the following ports:

    * 995/udp
    * 996/udp
    * 997/udp
    * 998/udp
    * 999/udp

And, it listens for any incoming UDP datagrams on these ports. Incoming
datagrams are parsed, and upon receiving a datagram with the proper
signature, the master server list of the worm may be updated.
...

That was from the Symantec site but is mentioned in other
places too.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

Sobig.f update cycle this afternoon Marty Hoag (Aug 22)
- <Possible follow-ups>
- Re: Sobig.f update cycle this afternoon Michelle Mueller (Aug 22)
- Re: Sobig.f update cycle this afternoon Marty Hoag (Aug 22)