AW: UDP port 4000 traffic: likely a new worm

["Florian Frotzler" <florian.frotzler () gmx at>]

I can acknowledge that we see the worm also in Europe/Austria. Today we
had a customer with a Black Ice firewall flooding us with random
4000/udp traffic before we shut him down. 


Kind Regards,

-- 
DI (FH) Florian Frotzler 
IT Planning 

e W ) a ) v ) e 
eWave Telekommunikation GmbH 
A-1210 Wien, Ignaz-Koeck-Strasse 1 


> Von: George Bakos
>
> The number of immediately vulnerable hosts was rapidly 
> depleted by the worm, given the launch was AFTER most 
> business had shut down for the weekend. I'll venture that 
> Black Ice, a commercial security product, is deployed much 
> more widely on the corporate laptop than the home machine.
>
> I expect to see more than a slight bump in those numbers come 
> Monday AM.
>
> g
>
> On Sat, 20 Mar 2004 13:50:30 -0800
> Josh Richards <jrichard () digitalwest net> wrote:
>
> > The good news is that "witty" appears to not be a very witty 
> > propagator. Our flow data shows attempts to connect to 4000/udp on 
> > hosts in our network having a downward trend over the last 
> few hours:
> > Time   Unique Source IPs
> > 08:00       350 
> > 09:00       332
> > 10:00       297
> > 11:00       298
> > 12:00       265 
>
>
> -- 
> George Bakos
> Institute for Security Technology Studies
> Dartmouth College
> gbakos () ists dartmouth edu
> 603.646.0665 -voice
> 603.646.0666 -fax
>
> pub  1024D/081ECB85 1999-04-09 George Bakos 
> <gbakos () ists dartmouth edu>
>      Key fingerprint = D646 8F91 F795 27EC FF8B  8C95 B102 
> 9EB2 081E CB85