Educause Security Discussion mailing list archives

Re: New Virus/Trojan/...?

From: "Wayne J. Hauber" <wjhauber () IASTATE EDU>
Date: Thu, 7 Oct 2004 09:58:06 -0500

At 08:22 AM 10/7/2004, Justin Azoff wrote:

On Thu, 2004-10-07 at 09:05, Jason Brooks wrote:
> Wayne,
>         Was the tftp server running from the Quicktimee.exe process or
> another one?
>
> Thanks,
> Jason
>
> -----Original Message-----
> From: The EDUCAUSE Security Discussion Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Wayne J. Hauber
> Sent: Wednesday, October 06, 2004 11:50 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] New Virus/Trojan/...?
>
> At 09:13 AM 10/6/2004, Jason Brooks wrote:
> >We submitted the executable Quicktimee.exe that was doing the port 445
> scans
> >to McAfee yesterday morning.  They responded yesterday afternoon
> classifying
> >it as W32/SDBot.worm.  They also issued us an EXTRA.DAT which will be
> cycled
> >into production DATs soon.
> >
> >Thanks for the suggestions,
> >Jason Brooks
>
> I submitted a copy as well. The system I examined also had an ftp server on
> port 31907 "220 StnyFtpd 0wns j0", running tfpd

It's not tftp, its just ftp. if you manage to download the file and scan
it, you will find that it is indeed sdbot or similar.


Actually, we found tftp listening on the standard tftp UDP port *and* an
ftp server running on a random port. We are trying to find a good method to
scan for these active tftp listeners to see if we can locate more of the
sick systems.

Wayne Hauber

--
-- Justin Azoff
-- Network Performance Analyst

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/groups/.



Wayne Hauber (515) 294-9890
Network Information & Microcomputer Network Services
Office of Academic Information Technologies
109 Durham Center, ISU, Ames, Iowa 50011
wjhauber () iastate edu

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/groups/.

Current thread:

New Virus/Trojan/...? Jason Brooks (Oct 04)
- <Possible follow-ups>
- Re: New Virus/Trojan/...? James Riden (Oct 04)
- Re: New Virus/Trojan/...? Scott Weeks (Oct 04)
- Re: New Virus/Trojan/...? Jason Brooks (Oct 06)
- Re: New Virus/Trojan/...? Wayne J. Hauber (Oct 06)
- Re: New Virus/Trojan/...? Jason Brooks (Oct 07)
- Re: New Virus/Trojan/...? Justin Azoff (Oct 07)
- Re: New Virus/Trojan/...? Wayne J. Hauber (Oct 07)