| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <000f01c39da9$0a961e30$7802a8c0@winxpnetsniper> From: khermansen at ht-technology.com (Kristian Hermansen) Subject: sharp increase on 27347/TCP Look like W32/Spybot.worm.gen discovered on 4/23/2003 and documented here by McAfee: http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100282 ---SNIP--- "The worm copies itself around and into the folder defined by "Kazaa\localcontent" registry key and into "kazaabackupfiles" subdirectory. Some copies may have enticing names (like "porn.exe", "Matrix Screensaver 1.5.scr", "Smart Ripper v2.7.exe", etc.) so other people may download the worm through P2P file sharing program. Once the downloaded copy of the worm is executed the cycle repeats itself. Some variants can scan subnets for systems already infected by sub7 or kuang2 to spread furhter." ---SNIP--- So possibly a whole bunch of hosts on Kazaa became infected rapidly and that is why we see the spike. To support this, check out who the offending parties are here: http://www.mynetwatchman.com/incidentsbyport.asp?range=0&SID=0x066AD3&Servic eName=tcp/27347 Looks like Cable/DSL subscribers for the most part. Any thoughts? Also documented here (notice "research pending") for tcp/27347: http://www.mynetwatchman.com/tp.asp Kristian Hermansen CEO - H&T Technology Solutions
Powered by blists - more mailing lists