| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <8D8863BB65A02F47A303E5B766612671013C0E92@exmb1.zonelabs.com> From: jlacour at zonelabs.com (John LaCour) Subject: Which worm? Hi Bob, There are several variants of Agobot/Gaobot that are propagating via the MyDoom/Novarg backdoor. I've found that most of the samples I've captured are damaged and won't run. Try scanning them with the RAV Antivirus online scanner. It seems to do a good job of identifying these things even the damaged ones. Also, don't forget to delete the first 5 bytes off the capture to remove the file upload and execute handshake before scanning it. -John http://www.ravantivirus.com/scan/indexie.php > From: bob sagart [mailto:bobsagart500@...mail.com] > Sent: Tuesday, April 13, 2004 4:53 AM > > The other night I decided to see what traffic I could capture > on tcp port > 3127 (MyDoom backdoor) since I have been getting a lot of > connection attemps > showing up in my firewall logs. > I got several dumps of the traffic using > nc -l -p 3127 > out.dmp > most of them are around 10-20kB which I thought was the about > the right size > of most of the worms and backdoors using that port. But one > of the dumps I > got was 150kB and I was just wondering if anyone could tell > me what I might > be?
Powered by blists - more mailing lists