Full Disclosure mailing list archives
Re: sharp increase on 27347/TCP
From: "Kristian Hermansen" <khermansen () ht-technology com>
Date: Tue, 28 Oct 2003 18:13:04 -0500
Look like W32/Spybot.worm.gen discovered on 4/23/2003 and documented here by McAfee: http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100282 ---SNIP--- "The worm copies itself around and into the folder defined by "Kazaa\localcontent" registry key and into "kazaabackupfiles" subdirectory. Some copies may have enticing names (like "porn.exe", "Matrix Screensaver 1.5.scr", "Smart Ripper v2.7.exe", etc.) so other people may download the worm through P2P file sharing program. Once the downloaded copy of the worm is executed the cycle repeats itself. Some variants can scan subnets for systems already infected by sub7 or kuang2 to spread furhter." ---SNIP--- So possibly a whole bunch of hosts on Kazaa became infected rapidly and that is why we see the spike. To support this, check out who the offending parties are here: http://www.mynetwatchman.com/incidentsbyport.asp?range=0&SID=0x066AD3&Servic eName=tcp/27347 Looks like Cable/DSL subscribers for the most part. Any thoughts? Also documented here (notice "research pending") for tcp/27347: http://www.mynetwatchman.com/tp.asp Kristian Hermansen CEO - H&T Technology Solutions _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- sharp increase on 27347/TCP Eric Bowser (Oct 28)
- Re: sharp increase on 27347/TCP Joshua Levitsky (Oct 28)
- Re: sharp increase on 27347/TCP Will Image (Oct 28)
- Re: sharp increase on 27347/TCP Eric Bowser (Oct 28)
- Re: sharp increase on 27347/TCP Kristian Hermansen (Oct 28)
- Re: sharp increase on 27347/TCP Nick FitzGerald (Oct 28)
- Re: sharp increase on 27347/TCP morning_wood (Oct 28)
- Re: sharp increase on 27347/TCP Will Image (Oct 28)
- Re: sharp increase on 27347/TCP Joshua Levitsky (Oct 28)
- <Possible follow-ups>
- Fw: sharp increase on 27347/TCP SPAM (Oct 28)
- Re: Fw: sharp increase on 27347/TCP Eric Bowser (Oct 29)
- Re: Fw: sharp increase on 27347/TCP Eric Bowser (Oct 29)