F-Prot Slipping
Nathan Johanson
nathan at TCPNETWORKS.NET
Thu Aug 14 03:09:17 IST 2003
I must be missing something here... All the descriptions I've read about
this virus make no mention of an email component. Does this worm spread
via email?
I was under the impression that this virus infects unprotected Windows
computers on the Internet--machines not protected by a firewall w/ all
of the corresponding ports open to the world (TCP 135, TCP 4444, UDP
69). I haven't read anything about that being a email component.
Most of the virus descriptions (including this snippet from CERT) seem
to support this concept and make no mention of email:
Known exploits target TCP port 135 and create a privileged backdoor
command shell on successfully compromised hosts. Some versions of the
exploit use TCP port 4444 for the backdoor, and other versions use a TCP
port number specified by the intruder at run-time. We have also received
reports of scanning activity for common backdoor ports such as 4444/TCP.
Someone please correct me if I'm wrong. Thanks.
Nathan
-----Original Message-----
From: Raymond Dijkxhoorn [mailto:raymond at PROLOCATION.NET]
Sent: Wednesday, August 13, 2003 12:48 PM
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: F-Prot Slipping
Hi!
> I was right. F-Prot just included a fix for MSBlaster as of today.
This
> virus has been causing grief here since Aug 8. Here's a direct quote
from
> F-Prot.
No you're not =) See my other posting :)
> Users of F-Prot Antivirus should update their virus signature
> files immediately. W32/Msblast.C is detected by F-Prot
> Antivirus using virus signature files dated 13 August 2003
> and later.
And also the .B version, the .A version was allready detected. I have a
couple of hundered in my archive, so i am pretty sure it works.
Thanks.
Raymond.
More information about the MailScanner
mailing list