Re: Possible variant of Blaster/Nachi/Welchia? (more)

[Bob Barron <rbarron () isc upenn edu>]

I'm pretty certain that only the mass mailing and network propagation 
mechanisms of SoBig.F de-activated on 9/10/03;  the backdoor component 
of the worm, which uses NTP and UDP 8998, still will activate each 
Friday.  However, I do not see 207.46.130.100 in the list of NTP servers 
that the worm tries to contact, so I'm not sure this is SoBig.F that 
Jeff Kell is seeing.

--
Bob Barron
Senior IT Support Specialist
ISC Provider Desk
University of Pennsylvania
rbarron () isc upenn edu

Jean-Luc Cavey wrote:
> ---- Original Message ----
> From: "Steven D. Smith" <sds07 () health state ny us>
> To: "Jeff Kell" <jeff-kell () utc edu>
> Cc: "Incidents" <incidents () securityfocus com>; "General DShield
> Discussion List" <list () dshield org> 
> Sent: Friday, September 26, 2003 8:08 PM
> Subject: Re: Possible variant of Blaster/Nachi/Welchia? (more)
>
>
> > http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f () mm html
>
>
>
> Humm...
>
> Was not W32.Sobig-F supposed to stop to propagate on Sept. 9 23:59 ?
>
> See NOTES on the above page : 
>
> <cite>
> The worm de-activates on September 10, 2003. The last day on which the worm will spread is September 9, 2003. 
> </cite>
>
> Jean-Luc Cavey
>
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------




---------------------------------------------------------------------------
----------------------------------------------------------------------------