Educause Security Discussion mailing list archives
Re: New Virus/Trojan/...?
From: "Wayne J. Hauber" <wjhauber () IASTATE EDU>
Date: Thu, 7 Oct 2004 09:58:06 -0500
At 08:22 AM 10/7/2004, Justin Azoff wrote:
On Thu, 2004-10-07 at 09:05, Jason Brooks wrote: > Wayne, > Was the tftp server running from the Quicktimee.exe process or > another one? > > Thanks, > Jason > > -----Original Message----- > From: The EDUCAUSE Security Discussion Group Listserv > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Wayne J. Hauber > Sent: Wednesday, October 06, 2004 11:50 AM > To: SECURITY () LISTSERV EDUCAUSE EDU > Subject: Re: [SECURITY] New Virus/Trojan/...? > > At 09:13 AM 10/6/2004, Jason Brooks wrote: > >We submitted the executable Quicktimee.exe that was doing the port 445 > scans > >to McAfee yesterday morning. They responded yesterday afternoon > classifying > >it as W32/SDBot.worm. They also issued us an EXTRA.DAT which will be > cycled > >into production DATs soon. > > > >Thanks for the suggestions, > >Jason Brooks > > I submitted a copy as well. The system I examined also had an ftp server on > port 31907 "220 StnyFtpd 0wns j0", running tfpd It's not tftp, its just ftp. if you manage to download the file and scan it, you will find that it is indeed sdbot or similar.
Actually, we found tftp listening on the standard tftp UDP port *and* an ftp server running on a random port. We are trying to find a good method to scan for these active tftp listeners to see if we can locate more of the sick systems. Wayne Hauber
-- -- Justin Azoff -- Network Performance Analyst ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Wayne Hauber (515) 294-9890 Network Information & Microcomputer Network Services Office of Academic Information Technologies 109 Durham Center, ISU, Ames, Iowa 50011 wjhauber () iastate edu ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/groups/.
Current thread:
- New Virus/Trojan/...? Jason Brooks (Oct 04)
- <Possible follow-ups>
- Re: New Virus/Trojan/...? James Riden (Oct 04)
- Re: New Virus/Trojan/...? Scott Weeks (Oct 04)
- Re: New Virus/Trojan/...? Jason Brooks (Oct 06)
- Re: New Virus/Trojan/...? Wayne J. Hauber (Oct 06)
- Re: New Virus/Trojan/...? Jason Brooks (Oct 07)
- Re: New Virus/Trojan/...? Justin Azoff (Oct 07)
- Re: New Virus/Trojan/...? Wayne J. Hauber (Oct 07)