F-Prot Slipping

Nathan Johanson nathan at TCPNETWORKS.NET
Thu Aug 14 03:09:17 IST 2003


I must be missing something here... All the descriptions I've read about
this virus make no mention of an email component. Does this worm spread
via email?

I was under the impression that this virus infects unprotected Windows
computers on the Internet--machines not protected by a firewall w/ all
of the corresponding ports open to the world (TCP 135, TCP 4444, UDP
69). I haven't read anything about that being a email component. 

Most of the virus descriptions (including this snippet from CERT) seem
to support this concept and make no mention of email:

Known exploits target TCP port 135 and create a privileged backdoor
command shell on successfully compromised hosts. Some versions of the
exploit use TCP port 4444 for the backdoor, and other versions use a TCP
port number specified by the intruder at run-time. We have also received
reports of scanning activity for common backdoor ports such as 4444/TCP.

Someone please correct me if I'm wrong. Thanks.

Nathan

-----Original Message-----
From: Raymond Dijkxhoorn [mailto:raymond at PROLOCATION.NET] 
Sent: Wednesday, August 13, 2003 12:48 PM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: F-Prot Slipping


Hi!

> I was right.  F-Prot just included a fix for MSBlaster as of today.
This
> virus has been causing grief here since Aug 8.  Here's a direct quote
from
> F-Prot.

No you're not =) See my other posting :)

> Users of F-Prot Antivirus should update their virus signature
> files immediately. W32/Msblast.C is detected by F-Prot
> Antivirus using virus signature files dated 13 August 2003
> and later.

And also the .B version, the .A version was allready detected. I have a
couple of hundered in my archive, so i am pretty sure it works.

Thanks.
Raymond.




More information about the MailScanner mailing list