Educause Security Discussion mailing list archives
Re: New Virus/Trojan/...?
From: "Wayne J. Hauber" <wjhauber () IASTATE EDU>
Date: Wed, 6 Oct 2004 10:49:34 -0500
At 09:13 AM 10/6/2004, Jason Brooks wrote:
We submitted the executable Quicktimee.exe that was doing the port 445 scans to McAfee yesterday morning. They responded yesterday afternoon classifying it as W32/SDBot.worm. They also issued us an EXTRA.DAT which will be cycled into production DATs soon. Thanks for the suggestions, Jason Brooks
I submitted a copy as well. The system I examined also had an ftp server on port 31907 "220 StnyFtpd 0wns j0", running tfpd
-----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Scott Weeks Sent: Monday, October 04, 2004 5:21 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] New Virus/Trojan/...? On Mon, 4 Oct 2004, Jason Brooks wrote: : Beginning about 16:45 EDT on Sunday 3 Oct 2004, we began seeing high levels : of port scanning for port 445 from our students. We have obtained one : laptop for analysis. Here are our findings: : : Process Quicktimee.exe is opening numerous outbound connections to <snip> : So, with that, does it look familiar to anyone? McAfee doesn't know it, and : can't turn up anything seemingly related in Google, etc. : : Suggestions/Help? You might try the Incidents mailinglist at SecurityFocus: http://www.securityfocus.com/incidents scott x=x=x=x=x=x=x=x=x=x=x=x ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Wayne Hauber (515) 294-9890 Network Information & Microcomputer Network Services Office of Academic Information Technologies 109 Durham Center, ISU, Ames, Iowa 50011 wjhauber () iastate edu ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- New Virus/Trojan/...? Jason Brooks (Oct 04)
- <Possible follow-ups>
- Re: New Virus/Trojan/...? James Riden (Oct 04)
- Re: New Virus/Trojan/...? Scott Weeks (Oct 04)
- Re: New Virus/Trojan/...? Jason Brooks (Oct 06)
- Re: New Virus/Trojan/...? Wayne J. Hauber (Oct 06)
- Re: New Virus/Trojan/...? Jason Brooks (Oct 07)
- Re: New Virus/Trojan/...? Justin Azoff (Oct 07)
- Re: New Virus/Trojan/...? Wayne J. Hauber (Oct 07)