Heads-up: Possible Sobig-F second wave attack
Julian Field
mailscanner at ecs.soton.ac.uk
Fri Aug 22 16:51:06 IST 2003
More news from Symantec:
Blocking the following UDP ports internally may be a good idea
(info taken from symantec)
The worm starts the download attempt by sending a probe to port 8998/udp
of the master server. Then, the server replies with a URL, where the
worm can download the file to execute.
Sobig.F also opens the following ports:
995/udp
996/udp
997/udp
998/udp
999/udp
And, it listens for any incoming UDP datagrams on these ports. Incoming
datagrams are parsed, and upon receiving a datagram with the proper
signature, the master server list of the worm may be updated.
At 15:21 22/08/2003, you wrote:
>(Warning: getting OT; sorry)
>
>According to
>
>http://www.vnunet.com/News/1143169
>
>"We recommend blocking the UDP port 8998 on a firewall, which is the
>port the virus will try and use."
>
>Antony Stone said:
> > Hi.
> >
> > I just received this from Sophos. People may want to check
> > firewall and
> > mail gateway configurations before the weekend (Bank Holiday in the
> > UK...)
> >
> > It's a pity they don't say what mechanism is likely to be used for
> > any code
> > download, however I would guess at either HTTP, or possibly port 25
> > on a
> > remote server, even if the mechanism isn't really SMTP.
>
><snipped>
>
>--
>Kurt Yoder
>Sport & Health network administrator
--
Julian Field
www.MailScanner.info
MailScanner thanks transtec Computers for their support
More information about the MailScanner
mailing list