Bassett, Mark wrote: > What about what mobly posted earlier? > > <snip> > FYI: Symantec's analysis > http://securityresponse.symantec.com/avcenter/venc/data/backdoor.irc.cir > ebot.html > > -Dave >
(snippage)
Well, it technically isn't a worm. But don't take my word for it, as I am no expert. Symantec classifies it as a Trojan Horse, not a worm. On the KAV Web page (http://www.avp.ch/avpve/worms/win32/autorooter.stm), they state "Even though this file package does not contain any auto-replication funnctions (sic), we still consider it much closer to being a worm-type program rather than merely a backdoor or a hacktool. "
OK, so I'll call it a worm for argument's sake. It restricts itself to roughly 5% of the possible IP space and only spreads via 445/tcp. Symantec's site is still saying 0-49 hosts infected in the
first 4 days. I'd hardly say it's more effective than Code Red.
Now, if someone takes it and turns it into an E-mail aware worm, and/or opens it's target IP range to the Internet at large, then it is a *different* worm (I'm still calling it a worm for argument's sake) and we're playing a whole different ballgame.
I have IP addresses in the target range of this "worm". I'm seeing lots of scanning for 445/tcp, but not coming from other addresses in it's target range.
Brian
-- Brian Eckman Security Analyst OIT Security and Assurance University of Minnesota 612-626-7737
"There are 10 types of people in this world. Those who understand binary and those who don't."
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html