Full Disclosure mailing list archives

Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127

From: Honza Vlach <janus () volny cz>
Date: Thu, 22 Apr 2004 10:45:42 +0200


Hi,
we've experienced this worm too, and disinfected it as a new variant of
Agobot (Gaobot). Basically it exploits poorly protected windows shared,
RCP Dcom bug in windows etc. (most of the people infected had admin/admin
login/passwords on their computers with default C$ share. Combine this
with heavily unpatched system and Agobot can pick an attack vector
according to it's current mood :-)

By the way, it also acts as an IRC backdoor, which makes infected
computers zombies.

more info at:

http://www.mynetwatchman.com/tools/sc/Agobot.htm
http://isc.sans.org/diary.php?date=2004-04-01
http://www.sophos.com/virusinfo/analyses/w32agobotga.html

Should be detected and disinfected by major antiviruses by now.
Avast4 worked well for us.
http://www.asw.cz/i_idt_1404.html

Have a nice day,
Honza Vlach


On Wed, Apr 21, 2004 at 02:16:04AM -0700, mgotts () 2roads com wrote:

To: Jeff Kell <jeff-kell () utc edu>
Cc: Incidents <incidents () securityfocus com>,
        General DShield Discussion List <list () dshield org>
Subject: Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127
X-Mailer: Lotus Notes Release 6.0.2CF1 June 9, 2003
From: mgotts () 2roads com
Date: Wed, 21 Apr 2004 02:16:04 -0700


Sound familiar to anyone?


Have not seen the particular virus/worm, but have seen scans from single 
IPs of ports 6129, 2745, 135, 445, 1025, 3127 in sequence.

6129 is default port for dameware remote control agent:
http://isc.sans.org/port_details.php?port=6129

3127 is used by MyDoom, Novarg and variants
http://isc.sans.org/port_details.php?isc=4359007a189bdac49792ce2e8ac2f7f0&port=3127&repax=1&tarax=2&srcax=2&percent=N&days=40

I'd start with these. But it could, as always, be yet another variant. 
Lucky you.

-- Mark Gottschalk
Two Roads Professional Resources

--
()  ascii ribbon campaign - against html mail 
/\                        - against microsoft attachments

Attachment: _bin
Description:

Current thread:

Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Honza Vlach (Apr 22)
- <Possible follow-ups>
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Tomokazu Suzuki (Apr 23)
  - Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Joe Stewart (Apr 23)
- Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Willem Koenings (Apr 23)
- Re:Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127 Ian Latter (Apr 23)