Educause Security Discussion mailing list archives

Re: Am I the only one?

From: Mark Wilson <wilsodm () AUBURN EDU>
Date: Wed, 14 Apr 2004 10:24:36 -0500

We have seen this extensively on our network.  It is the AgoBot/GaoBOt
worm/trojan or varient.  It also goes by the name polybot.  Nasty little
booger.  It installs a backdoor and scans for "blank" or weak admin
passwords, various MS vulnerabilities, and DameWare (port 6129)
weaknesses.  It kills most anti-virus processes/programs. Seems to be
particularly bad on University networks.

If you do an nmap scan, you will find high ports open.  Most times when
you telnet into the trojan port (BTW, it changes on each infection), you
will get:
220 Bot Server (Win32)

It has remote command and DOS functionality.
Useful Links:
http://uk.trendmicro-europe.com/enterprise/security_info/ve_detail.php?VName=WORM_AGOBOT.HN&VSect=T

http://vil.nai.com/vil/content/v_101100.htm
http://www.lurhq.com/phatbot.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.ul.html



Mark Wilson
GCIA, CISSP #53153
Network Security Specialist
Auburn University
(334) 844-9347

jim.pollard () MAIL UTEXAS EDU 4/14/2004 9:50:18 AM >>>

Or did I miss it on Bugtraq?  Recently I've noticed a scan pattern in
my logs and wonder if anyone might recognize it as either a known virus
or some kiddie scanning tool looking for virus backdoors?  There are
some variations... occasionally port 80 and 8080 are included.

Service: 1025 (tcp/1025) (net2fw:DROP:,eth1,none) - 2 packets (take
your pick... either network blackjack or an assortment of viruses and
backdoors)
         Service: 2745 (tcp/2745) (:net2fw:DROP:,eth1,none) - 2 packets
(Beagle virus)
         Service: 3127 (tcp/3127) (:net2fw:DROP:,eth1,none) - 2 packets
(MyDoom virus)
         Service: 6129 (tcp/6129) (net2fw:DROP:,eth1,none) - 3 packets
(W32.Mockbot) also Dameware


Thanks!

Jim

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Attachment: Mark Wilson.vcf
Description:

Current thread:

Am I the only one? Jim Pollard (Apr 14)
- <Possible follow-ups>
- Re: Am I the only one? Mark Wilson (Apr 14)
- Re: Am I the only one? Dan Jones (Apr 14)
- Re: Am I the only one? Helms, Sandra (Apr 14)
- Re: Am I the only one? Jim Pollard (Apr 14)
- Re: Am I the only one? Are Leif Garn}sjordet (Apr 14)
- Re: Am I the only one? Kathy Bergsma (Apr 14)
- Re: Am I the only one? Mark Wilson (Apr 14)
- Re: Am I the only one? Jason Richardson (Apr 14)