[prev in list] [next in list] [prev in thread] [next in thread] 

List:       incidents
Subject:    Botnet is back, and some info FYI.
From:       BahdKo <bahdko () erols ! com>
Date:       2005-01-06 12:57:01
Message-ID: 41DD359D.8070304 () erols ! com
[Download RAW message or body]

Hi everyone,

I wanted to let you know how this worked out.

The packets that were coming into my network stopped for a few days, and then \
restarted. This time, I was ready with netcat. I had netcat listen on port 3127 and \
grabbed the payload from a couple of connections. It looks like the bots are using a \
utility from the www.steelbytes.com website ("port tunnel" maybe), and when Norton \
Antivirus looked at the file, it identified it as being related to or otherwise \
infected with Bloodhound.Mydoom.Cli. I have the contents from one of the tcp sessions \
up at http://www.sbbsnet.net/netcatfile.gz, if anyone wants to see it. This file may \
contain the actual virus.

Regards,

--Laura


[prev in list] [next in list] [prev in thread] [next in thread]