Re: reports of DCOM worm on the loose...Report #4b
From: Russ (Russ.Cooper_at_RC.ON.CA)
Date: Tue, 12 Aug 2003 15:48:49 -0400 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Thanks to Marc Maifrett of eEye and Robert Graham of ISS for pointing this out;
- scanning for systems listening on 69 indicate successfully attacked systems (or valid TFTP Server)
Please note that the TFTP server used in the worm runs for a very short period of time (~20 seconds), so detecting 69 listening will be difficult at best.
That said, since it appears possible that machines can be infected multiple times, the 69 listen may pop up and down frequently.
Russ - NTBugtraq Editor
Are You "Certifiable"? Summer's Hottest Certification Just Got HOTTER!
With a growth rate exceeding 110%, the TICSA security practitioner
certification is one of the hottest IT credentials available. And now, for
a limited time, you can save 33% off of the TICSA certification exam! To
learn more about the TICSA certification, and to register as a TICSA
candidate online, just go to