Full Disclosure mailing list archives

RE: Sobig has a surprise...


From: Ron DuFresne <dufresne () winternet com>
Date: Sat, 23 Aug 2003 10:09:45 -0500 (CDT)

On Fri, 22 Aug 2003, Paul Schmehl wrote:

--On Friday, August 22, 2003 1:27 PM -0600 Jonathan Grotegut
<jgrotegut () directpointe com> wrote:

Anyone able to verify this with another site (eeye, any other antivirus
firm)?

I can verify this.  I wrote a snort rule that looks for outgoing packets to
8998/UDP and I saw machines hitting 20 unique IPs on that port.  So I can
confirm that it is true.



Nick FitzGerald's reply to "Compton, Rich" <RCompton () chartercom com>,
Subject: Re: [Full-disclosure] Anybody know what Sobig.F has downloaded?,
was excellent, and very informative for a large skillbase, and yet the two
postings by Jerry Heidtke <jheidtke () fmlh edu>, Subject: RE:
[Full-Disclosure] Sobig has a surprise..., leave in doubt the issue if
this is the end of the sobig.f issue, I saw nothing posted so far to
indicate that all the systems those infected were to grab code/additional
address info, had been intercepted.

Anyone have more details to the other addresses?

Thanks,

Ron DuFresne
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
        ***testing, only testing, and damn good at it too!***

OK, so you're a Ph.D.  Just don't touch anything.




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Current thread: