RE: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127

["Bojan Zdrnja" <Bojan.Zdrnja () LSS hr>]

Hi Jeff, 

> -----Original Message-----
> From: Jeff Kell [mailto:jeff-kell () utc edu] 
> Sent: Wednesday, 21 April 2004 2:02 p.m.
> To: General DShield Discussion List; Incidents
> Subject: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127
>
> We have had a significant outbreak of a yet-unidentified 
> virus on campus 
>   covering several dozen machines and one remote lab (possibly 100 in 
> all).  The characteristics I have observed remotely (no 
> possibility of 
> forensics at the moment, just shutting down ports) are as follows:
>
> * listens on two random, high-numbered tcp ports
> * picks a random address within the infected machine's /8 subnet
> * scans (in order) 80, 6129, 1025, 3127 (all tcp) from ephemeral
>    source ports (the source port is not fixed).

This is almost certanly some variant of Gaobot, maybe even Phatbot.

Phatbot uses multiple vulnerabilities to propagate (too many to mention) and
it can also spread to machines previously infected by MyDoom or Bagle. It
can brute force MSSQL, kills almost all AV programs it finds on the target
machine and can use WASTE P2P protocol for remote management of infected
machines.

Phatbot will scan TCP ports 80, 135, 139, 445, 3127 (MyDoom) and 6129
(Dameware). It also opens several listeners. If you can, I'd suggest port
scanning infected machines with nmap to see if port 4387 is open - Phatbot
uses that port for communication via the WASTE protocol.

If possible, scan machines with AV program, some of them catch new variants
generically, although Agobot/Gaobot variants seem to appear every couple of
hours.

Cheers,

Bojan
CISSP


---------------------------------------------------------------------------
----------------------------------------------------------------------------