Educause Security Discussion mailing list archives
Re: New Virus/Trojan/...?
From: Jason Brooks <brooksje () LONGWOOD EDU>
Date: Thu, 7 Oct 2004 09:05:40 -0400
Wayne, Was the tftp server running from the Quicktimee.exe process or another one? Thanks, Jason -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Wayne J. Hauber Sent: Wednesday, October 06, 2004 11:50 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] New Virus/Trojan/...? At 09:13 AM 10/6/2004, Jason Brooks wrote:
We submitted the executable Quicktimee.exe that was doing the port 445
scans
to McAfee yesterday morning. They responded yesterday afternoon
classifying
it as W32/SDBot.worm. They also issued us an EXTRA.DAT which will be
cycled
into production DATs soon. Thanks for the suggestions, Jason Brooks
I submitted a copy as well. The system I examined also had an ftp server on port 31907 "220 StnyFtpd 0wns j0", running tfpd
-----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Scott Weeks Sent: Monday, October 04, 2004 5:21 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] New Virus/Trojan/...? On Mon, 4 Oct 2004, Jason Brooks wrote: : Beginning about 16:45 EDT on Sunday 3 Oct 2004, we began seeing high levels : of port scanning for port 445 from our students. We have obtained one : laptop for analysis. Here are our findings: : : Process Quicktimee.exe is opening numerous outbound connections to <snip> : So, with that, does it look familiar to anyone? McAfee doesn't know it, and : can't turn up anything seemingly related in Google, etc. : : Suggestions/Help? You might try the Incidents mailinglist at SecurityFocus: http://www.securityfocus.com/incidents scott x=x=x=x=x=x=x=x=x=x=x=x ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Wayne Hauber (515) 294-9890 Network Information & Microcomputer Network Services Office of Academic Information Technologies 109 Durham Center, ISU, Ames, Iowa 50011 wjhauber () iastate edu ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- New Virus/Trojan/...? Jason Brooks (Oct 04)
- <Possible follow-ups>
- Re: New Virus/Trojan/...? James Riden (Oct 04)
- Re: New Virus/Trojan/...? Scott Weeks (Oct 04)
- Re: New Virus/Trojan/...? Jason Brooks (Oct 06)
- Re: New Virus/Trojan/...? Wayne J. Hauber (Oct 06)
- Re: New Virus/Trojan/...? Jason Brooks (Oct 07)
- Re: New Virus/Trojan/...? Justin Azoff (Oct 07)
- Re: New Virus/Trojan/...? Wayne J. Hauber (Oct 07)