Re: Possible variant of Blaster/Nachi/Welchia? (more)

From: Bob Barron (rbarron_at_isc.upenn.edu)
Date: 09/26/03

  • Next message: Carey, Steve T GARRISON: "RE: Probable new MS DCOM RPC worm for Windows" 
    Date: Fri, 26 Sep 2003 17:08:51 -0400
To: Incidents <incidents@securityfocus.com>

    I'm pretty certain that only the mass mailing and network propagation
    mechanisms of SoBig.F de-activated on 9/10/03; the backdoor component
    of the worm, which uses NTP and UDP 8998, still will activate each
    Friday. However, I do not see 207.46.130.100 in the list of NTP servers
    that the worm tries to contact, so I'm not sure this is SoBig.F that
    Jeff Kell is seeing. 

    -- 
Bob Barron
Senior IT Support Specialist
ISC Provider Desk
University of Pennsylvania
rbarron@isc.upenn.edu
Jean-Luc Cavey wrote:
> ---- Original Message ----
> From: "Steven D. Smith" <sds07@health.state.ny.us>
> To: "Jeff Kell" <jeff-kell@utc.edu>
> Cc: "Incidents" <incidents@securityfocus.com>; "General DShield
> Discussion List" <list@dshield.org> 
> Sent: Friday, September 26, 2003 8:08 PM
> Subject: Re: Possible variant of Blaster/Nachi/Welchia? (more)
> 
> 
>>http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html
>>
> 
> 
> 
> Humm...
> 
> Was not W32.Sobig-F supposed to stop to propagate on Sept. 9 23:59 ?
> 
> See NOTES on the above page : 
> 
> <cite>
> The worm de-activates on September 10, 2003. The last day on which the worm will spread is September 9, 2003. 
> </cite>
> 
> Jean-Luc Cavey
> 
> ---------------------------------------------------------------------------
> ----------------------------------------------------------------------------
> 
---------------------------------------------------------------------------
----------------------------------------------------------------------------
  • Next message: Carey, Steve T GARRISON: "RE: Probable new MS DCOM RPC worm for Windows"