lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
From: janus at (Honza Vlach)
Subject: Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127

we've experienced this worm too, and disinfected it as a new variant of
Agobot (Gaobot). Basically it exploits poorly protected windows shared,
RCP Dcom bug in windows etc. (most of the people infected had admin/admin
login/passwords on their computers with default C$ share. Combine this
with heavily unpatched system and Agobot can pick an attack vector
according to it's current mood :-)

By the way, it also acts as an IRC backdoor, which makes infected
computers zombies.

more info at:

Should be detected and disinfected by major antiviruses by now.
Avast4 worked well for us.

Have a nice day,
Honza Vlach

On Wed, Apr 21, 2004 at 02:16:04AM -0700, wrote:
> To: Jeff Kell <>
> Cc: Incidents <>,
>         General DShield Discussion List <>
> Subject: Re: Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127
> X-Mailer: Lotus Notes Release 6.0.2CF1 June 9, 2003
> From:
> Date: Wed, 21 Apr 2004 02:16:04 -0700
> > 
> > Sound familiar to anyone?
> > 
> Have not seen the particular virus/worm, but have seen scans from single 
> IPs of ports 6129, 2745, 135, 445, 1025, 3127 in sequence.
> 6129 is default port for dameware remote control agent:
> 3127 is used by MyDoom, Novarg and variants
> I'd start with these. But it could, as always, be yet another variant. 
> Lucky you.
> -- Mark Gottschalk
> Two Roads Professional Resources
()  ascii ribbon campaign - against html mail 
/\                        - against microsoft attachments

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :

Powered by blists - more mailing lists