On Fri, 2003-08-22 at 21:33, Compton, Rich wrote:
> As many of you know, the latest Sobig.F virus was scheduled to begin
> downloading unknown code from various IPs at 3:00 EST today on UDP port
> 8998. Does anybody have any idea what this code is? Are the infected boxes
> actually downloading code? Does anybody have an infected Windoze box with
> Sobig that can see what code was downloaded?
While this is 2nd hand I have now heard about the same effect on 2
different unrelated machines via friends on quakenet (irc)
<Mikeh> email from a m8
<Mikeh> got a bit of a prob
<Mikeh> with me pc, when i go online, after about a minute i get a
message saying
<Mikeh> "system is shutting down please save all work inj progress and
log off,
<Mikeh> system shut down was initiated by NT Authority/system.
This could be something totally unrelated but the fact I have now heard
about it from 2 people since last night of whom 1 was definitely
infected with Sobig.F I think their is code out there.
Putting this together with the comments made on the list about traffic
on udp port 8998 to a different set of ips from some of the Sobig.F
infected hosts leads me to suggest that there is "something" going on
but as to what I have very little idea as my only windows machine is for
playing games on and so sees no email or direct net traffic.
--
Tim Fletcher
.~.
tim@night-shade.org.uk /V\ L I N U X
// \\ >Don't fear the penguin<
irc: Night-Shade on Quakenet /( )\
^^-^^
Do not meddle in the affairs of dragons,
for you are crunchy and taste good with ketchup.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Sat Aug 23 2003 - 11:18:59 PDT