Email address obfuscation in effect -- please
click here to turn it off.
[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
Well, if it's stupid enough to stay on port 17300, it'll soon be filtered out by the UMC edge router, so anybody on campus (or dialed up, or on VPN) is okay. I'm just worried that it'll find a way to start port hopping...
--J
> -----Original Message-----
> From: Mark Haidekker [mailto:EMAIL:PROTECTED]
> Sent: Tuesday, May 13, 2003 3:08 PM
> To: MLUG Members
> Subject: Re: [MLUG] port 17300 and kuang2 trojan
>
>
> On Tuesday 13 May 2003 01:45 pm, you wrote:
> > In the last 2 days I've seen a massive increase in port
> 17300 connection
> > attempts on my Solaris box coming from all over the world.
> I guess this
> > is the kuang2 trojan. I suppose it doesn't attack Solaris and it is
> > looking for Windows shares or somesuch. Is that it? Am I safe? Is
> > kuang2 making the news this week?
> >
> > Mike
>
> What about Fizzer? Below is some info from
> http://www.eweek.com/article2/0,3959,1079560,00.asp. Fun
> aheead, mostly for
> Windoze users, though.
>
> Mark
>
>
> "This is one of the more complicated worms we've seen", comments Mikko
> Hypponen, manager of anti-virus research at F-Secure Corp.,
> based in
> Helsinki,
> Finland. "The worm is 200kB of code spaghetti, containing
> backdoors, code
> droppers, attack agents, key loggers and even a small Web server."
>
> The new worm has several other capabilities that make it
> particularly troubling
> and dangerous. Fizzer includes an IRC bot that attempts to
> connect to a
> number
> of different IRC servers and, once it establishes a connection,
> listens passively for further instructions. This kind of activity is
> often the precursor to a distributed DoS (denial-of-service) attack.
> The worm also has the ability to create a new user account on AIM
> (AOL Instant Messenger), join a chat session and then listen for
> instructions.
>
> But perhaps the most interesting aspect of Fizzer is the
> HTTP server
> it contains. The server runs on a configured TCP port and in effect
> acts as a command console,
>
> The HTTP server also gives the attacker the ability to
> remotely launch DoS
> attacks, further propagate the work via e-mail, issue
> commands to the IRC and
> AIM bots, and kill anti-virus applications.
>
> The keystroke logger records every typed letter and saves
> the log in
> an encrypted file on the infected machine. If the infected PC has
> the Kazaa file-sharing program installed, Fizzer also has the ability
> to find the default download location for Kazaa files and copy itself
> to that folder. It will have a random filename and could easily be
> mistaken for a media file and downloaded by another Kazaa user.
>
> At its heart, Fizzer is a mass-mailing worm that arrives in users'
> mailboxes in an e-mail with a random subject line and body text. The
> attachment containing the worm is an executable file, but has a
> random name and may also have a random file extension that disguises
> the fact that it is an executable.
> _______________________________________________
> members mailing list
> EMAIL:PROTECTED
> http://mlug.missouri.edu/mailman/listinfo/members
>
_______________________________________________
members mailing list
EMAIL:PROTECTED
http://mlug.missouri.edu/mailman/listinfo/members
Home | FAQ | Server | Presentations | Mailing Lists/Archives | Member Tools | Links | Sponsors | Contact