[OPLINTECH] New Worm

Aaron J. Bedra abedra@westervillelibrary.org
Mon, 15 Aug 2005 16:52:00 -0400


A correction to the original notice about the Zotob worm...

This virus is NOT an e-mail worm, but rather a self replicating net
worm.

It tries to infect on ports 445 8080 33333

Suggestions are to disable unused services.

A side note to anyone using logging firewalls.

========SNIP from SARC==============

Generates random IP address from the current IP address. The worm does
this by keeping the first two octets of the IP address on the system and
randomize the last two octets. For example, if the IP address of the
system is 192.168.0.1, the worm will attempt to infect IP addresses
beginning with 192.168.x.x.

  * Attempts to spread to computers with the above random IP address by
    opening a backdoor using TCP port 8888 on the remote computer. The
    worm does this by attempting to exploit the Microsoft Windows Plug
    and Play Service Vulnerability, as described in Microsoft Security
    Bulletin MS05-039.	

=========END SNIP===================

	***You may want to disable logging access to these particular   ports
on your public interfaces, as they can quickly crush a firewall loggin
system that is underpowered or running out of space (kind of like SQL
slammer did)***

Good Luck,

Aaron J. Bedra
IT Specialist
Westerville Public Library
614-882-7277 x114
abedra@westervillelibrary.org
http://www.westervillelibrary.org