lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <407C1112.C3C35917@epost.de>
From: api at epost.de (Axel Pettinger)
Subject: Which worm?

bob sagart wrote:
> 
> Hey everyone
> The other night I decided to see what traffic I could capture on tcp 
> port 3127 (MyDoom backdoor) since I have been getting a lot of 
> connection attemps showing up in my firewall logs.
> I got several dumps of the traffic using
> nc -l -p 3127 > out.dmp
> most of them are around 10-20kB which I thought was the about the 
> right size of most of the worms and backdoors using that port. But one 
> of the dumps I got was 150kB and I was just wondering if anyone could 
> tell me what I might be?

It's likely that it is one of the many (NAI counts more than 542)
"Gaobot" (aka "Agobot") variants. NAI's description:
http://vil.nai.com/vil/content/v_100785.htm

To be sure simply check the file using Kaspersky's Online Virus Scanner:
http://www.kaspersky.com/scanforvirus.html

> I cannot send it as an attachment as hotmail says it is a virus.

"Exploit-Mydoom.b"?

Regards,
Axel Pettinger

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ