>From a look of the description it is a worm controlled by IRC. Also one of the passwords it uses to try and connect to remote is "root".
I would make sure that you aren't using IRC, nor logging into the windows domain as "root". It could be that your netadmin's "worm detector" is falsely seeing some of your connections as the Randbot worm either looking for other machines or trying to phone home. (This is all just a guess) I would ask them what tool/method they have used to determine you are the "infector" Martin Visser ,CISSP Network and Security Consultant Technology & Infrastructure - Consulting & Integration HP Services 3 Richardson Place North Ryde, Sydney NSW 2113, Australia Phone *: +61-2-9022-1670 Mobile *: +61-411-254-513 Fax 7: +61-2-9022-1800 E-mail * : martin.visserAThp.com -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, 12 November 2003 1:01 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: [SLUG] virus puzzle > How exactly did they come to this conclusion? Reading up on the virus > it appears to only run and infect Windows systems ... > > http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=1004 > 01 > > I know corporate IT people are often very quick to blame any sort of > abnormal behaviour on a perfectly fine Linux box, but that seems like > an extreme accusation. That's what I thought first. This worm should be windows specific. I did few quick checkup, everything seemed to be normal. I then reconnected my machine to network. Within 10 minutes, I got call from the support guy asking me whether I have reconnected. I was told two more machines just got infected. For some stupid reasons (I couldn't even remember now) I did not save my ethereal snapshot of traffic going out of my eth0 during that time (DAMN!) so I can't prove anything. But from my memory there were few announcement/browse packets from samba sent out. Right now, I am really hesitant to reconnect my machine to the network for further testing, before I have some clues of what has happened. I really don't want to piss them off. Ever since that MBlaster worm... ;-) Xun. > > -i -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug -- SLUG - Sydney Linux User's Group - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
