Re: sharp increase on 27347/TCP

["Kristian Hermansen" <khermansen () ht-technology com>]

Look like W32/Spybot.worm.gen discovered on 4/23/2003 and documented here by
McAfee:

http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100282

---SNIP---
"The worm copies itself around and into the folder defined by
"Kazaa\localcontent" registry key and into "kazaabackupfiles" subdirectory.
Some copies may have enticing names (like "porn.exe", "Matrix Screensaver
1.5.scr", "Smart Ripper v2.7.exe", etc.) so other people may download the
worm through P2P file sharing program. Once the downloaded copy of the worm
is executed the cycle repeats itself. Some variants can scan subnets for
systems already infected by sub7 or kuang2 to spread furhter."
---SNIP---

So possibly a whole bunch of hosts on Kazaa became infected rapidly and that
is why we see the spike.  To support this, check out who the offending
parties are here:

http://www.mynetwatchman.com/incidentsbyport.asp?range=0&SID=0x066AD3&Servic
eName=tcp/27347

Looks like Cable/DSL subscribers for the most part.  Any thoughts?

Also documented here (notice "research pending") for tcp/27347:

http://www.mynetwatchman.com/tp.asp


Kristian Hermansen
CEO - H&T Technology Solutions


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html