Alavan, The worm spawns a shell on TCP port 4444 on the infected host. The worm issues commands through tftp downloading msblast.exe which it then starts over its shell. You can do some sniffing for TCP 4444 or simply, just grab all outbound port 135 traffic :D ------------------------------------------- Eric Hines CEO, Chairman Applied Watch Technologies, Inc. web: http://www.appliedwatch.com email: eric.hinesat_private ------------------------------------------- Direct: (877) 262-7593 - Toll Free x327 Fax: (815) 425-2173 General: (877) 262-7593 (9am-5pm CST) ------------------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Tue Aug 12 2003 - 23:09:37 PDT