Broadband Tech > Security > Security > New Worms scanning on 1025 and others

reply to Link Logger

Re: New Worm scanning on 1025, 2745, 3127 and 6129

The 3127 capture was 249,861 bytes (minus 5 if you knock of the myDoom string at the start).

Blake

Your sample might be different from mine then. I submitted mine to the Submit Suspected Malware addresses as well as the malware archive. You may want to do the same with yours. If it's a Gaobot/Agobot variant, NAV and eTrust seem to have generic detection for it. F-prot and NOD32 give me a heuristic detection (possibly unknown Win32 virus).

reply to kpatz
I have two different samples with a length of 245,760 (I assume you don't include the myDoom string), both are detected as Agobot.es by Kaspersky.

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel

I've seen the Agobot.es samples before. I just scanned (with KAV) the two 245,760-byte samples I received from IPs that scanned me on 1025, 6129 and 3127 and one was detected as Agobot.fj and the other was NOT detected. I submitted the sample that was not detected.

EDIT: So far I have not been scanned on 2745 and 3127 by the same IP, so your samples are probably different from mine. My Agobot samples are coming from IPs hitting me on 3127 and 1025 (and 6129).

You might want to take a look at »MD5 File Grouper for PortPeeker and others as MD5 Grouper is a handy way to group captures by MD5 Hash value. So after running MD5 Grouper in your capture directory you would have a bunch of sub directories (one for each MD5 Hash value) containing files which are exactly alike. I run it everytime I have a new capture(s) so it places the files into the proper hash directory, or if its a new hash (ie new worm) then the directory name (the hash value) is displayed in Bold in MD5 Grouper.

Blake
--
Vendor: Firewall Logging Software »www.SonicLogger.com - SonicWall and 3Com »www.LinkLogger.com - Linksys, Netgear and Zyxel