On Sat, 2003-08-23 at 18:55, Tim Fletcher wrote:
> On Fri, 2003-08-22 at 21:33, Compton, Rich wrote:
> > As many of you know, the latest Sobig.F virus was scheduled to begin
> > downloading unknown code from various IPs at 3:00 EST today on UDP port
> > 8998. Does anybody have any idea what this code is? Are the infected boxes
> > actually downloading code? Does anybody have an infected Windoze box with
> > Sobig that can see what code was downloaded?
>
> While this is 2nd hand I have now heard about the same effect on 2
> different unrelated machines via friends on quakenet (irc)
>
> <Mikeh> email from a m8
> <Mikeh> got a bit of a prob
> <Mikeh> with me pc, when i go online, after about a minute i get a
> message saying
> <Mikeh> "system is shutting down please save all work inj progress and
> log off,
> <Mikeh> system shut down was initiated by NT Authority/system.
>
> This could be something totally unrelated but the fact I have now heard
> about it from 2 people since last night of whom 1 was definitely
> infected with Sobig.F I think their is code out there.
>
> Putting this together with the comments made on the list about traffic
> on udp port 8998 to a different set of ips from some of the Sobig.F
> infected hosts leads me to suggest that there is "something" going on
> but as to what I have very little idea as my only windows machine is for
> playing games on and so sees no email or direct net traffic.
I appear to be putting 2 and 2 together and getting 5 1/2 it's now less
clear (at least to me) if this is MSBlaster of Sobig.F
Sorry for the additional noise
--
Tim Fletcher
.~.
tim@night-shade.org.uk /V\ L I N U X
// \\ >Don't fear the penguin<
irc: Night-Shade on Quakenet /( )\
^^-^^
Justice is incidental to law and order.
-- J. Edgar Hoover
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Sat Aug 23 2003 - 11:50:22 PDT