new variant of witty worm ????

From: Steven Trewick (STrewick_at_joplings.co.uk)
Date: 03/23/04

  • Next message: David Gillett: "RE: ICMP Scan"
    To: incidents@securityfocus.com
    Date: Tue, 23 Mar 2004 17:09:18 -0000
    
    

    Hi list,

    Thought I'd post this as a question, since I have not heard
    anything about it today, and would have expected to :

    At around 2300 GMT yesterday (Monday 22 March 2004) packets
    very similar to the witty worm were observed at our
    network border. (To my chagrin, my packet logs are at
    a different physical location, but I will post them in a few
    hours)

    The UDP packets were much shorter, missing the actual "witty message"
    text that was observed in the original traffic, and also the 'padding'
    from the end of the packet, but apparently containing the code to
    import the same dll functions as the original.

    The source port was not 4000, and the dest port was much lower
    than that of the original traffic.

    Was this maybe just a weird bounce from some distressed ISS
    kit ? Has anyone else observed this ?

    (Packet dump to follow ASAP)

    Cheers
    Steve T

    </code>
    The information contained in this e-mail is confidential and may be privileged, it is intended for the addressee only. If you have received this e-mail in error please delete it from your system. The statements and opinions expressed in this message are those of the author and do not necessarily reflect those of the company. Whilst Joplings Group operates an e-mail anti-virus program it does not accept responsibility for any damage whatsoever that is caused by viruses being passed.
    joplings.co.uk

    ---------------------------------------------------------------------------
    Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
    wireless security

    Protect your network against hackers, viruses, spam and other risks with Astaro
    Security Linux, the comprehensive security solution that combines six
    applications in one software solution for ease of use and lower total cost of
    ownership.

    Download your free trial at
    http://www.securityfocus.com/sponsor/Astaro_incidents_040301
    ----------------------------------------------------------------------------


  • Next message: David Gillett: "RE: ICMP Scan"

    Relevant Pages

    • Re: blocking p2p traffic
      ... Network Security Specialist ... firewall with virus/spam protection, ... the comprehensive security solution that combines six ...
      (Focus-IDS)
    • Re: Interesting DNS update traffic
      ... I've seen similar traffic in my pf logs over the past few days but from a ... > Time relative to first packet: ... > Security Linux, the comprehensive security solution that combines six ...
      (Incidents)
    • RE: A new technique to disguise a target URL in spam
      ... I have seen the same technique used in other emails, ... firewall with virus/spam protection, URL filtering, VPN, ... Security Linux, the comprehensive security solution that combines six ...
      (Incidents)
    • RE: help with exchange
      ... Subject: help with exchange ... firewall with virus/spam protection, URL filtering, VPN, ... Security Linux, the comprehensive security solution that combines six ...
      (Security-Basics)
    • Re: help with exchange
      ... You can download an evaluation copy to see if its any use. ... Security Linux, the comprehensive security solution that combines six ... firewall with virus/spam protection, URL filtering, VPN, ...
      (Security-Basics)