[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <405C7E82.1050608@egotistical.reprehensible.net>
From: ge at egotistical.reprehensible.net (Gadi Evron)
Subject: The witty worm
Information can be found at: http://www.f-secure.com/v-descs/witty.shtml
According to that link the worm sends itself to 20K random IP's,
It's also on a repeat though.
To block it you need to block packets coming from UDP source port 4000.
I'd suggest blocking local port 4000, as well. This thing spreads fast
and many networks probably send it out now too.
Example Cisco rule which shows how fast this thing spreads (from a
network ran by a friend of mine, Scott McHenry):
deny udp any eq 4000 any (65 matches)
<20 seconds>
deny udp any eq 4000 any (77 matches)
Gadi Evron.
Powered by blists - more mailing lists