F-Prot Slipping

Raymond Dijkxhoorn raymond at PROLOCATION.NET
Thu Aug 14 07:45:12 IST 2003


Hi!

> I must be missing something here... All the descriptions I've read about
> this virus make no mention of an email component. Does this worm spread
> via email?

It does. But people are also sending it around via mail.

> Most of the virus descriptions (including this snippet from CERT) seem
> to support this concept and make no mention of email:
>
> Known exploits target TCP port 135 and create a privileged backdoor
> command shell on successfully compromised hosts. Some versions of the
> exploit use TCP port 4444 for the backdoor, and other versions use a TCP
> port number specified by the intruder at run-time. We have also received
> reports of scanning activity for common backdoor ports such as 4444/TCP.
>
> Someone please correct me if I'm wrong. Thanks.

No, you are right. We do have, however, catched it via mail also 448 times
since friday. Perhaps people are sending it over by hand. But they get
around with mail also for sure.

Bye,
Raymond.



More information about the MailScanner mailing list