Re: [Full-Disclosure] Anybody know what Sobig.F has downloaded?

[Tim Fletcher <tim@night-shade.org.uk>]

On Fri, 2003-08-22 at 21:33, Compton, Rich wrote:
> As many of you know, the latest Sobig.F virus was scheduled to begin
> downloading unknown code from various IPs at 3:00 EST today on UDP port
> 8998.  Does anybody have any idea what this code is?  Are the infected boxes
> actually downloading code?  Does anybody have an infected Windoze box with
> Sobig that can see what code was downloaded?

While this is 2nd hand I have now heard about the same effect on 2
different unrelated machines via friends on quakenet (irc)

<Mikeh> email from a m8
<Mikeh> got a bit of a prob
<Mikeh> with me pc, when i go online, after about a minute i get a
message saying
<Mikeh> "system is shutting down please save all work inj progress and
log off,
<Mikeh> system shut down was initiated by NT Authority/system.

This could be something totally unrelated but the fact I have now heard
about it from 2 people since last night of whom 1 was definitely
infected with Sobig.F I think their is code out there. 

Putting this together with the comments made on the list about traffic
on udp port 8998 to a different set of ips from some of the Sobig.F
infected hosts leads me to suggest that there is "something" going on
but as to what I have very little idea as my only windows machine is for
playing games on and so sees no email or direct net traffic.

-- 
   Tim Fletcher 

                                     .~.
       tim@night-shade.org.uk        /V\      L   I   N   U   X   
                                    // \\  >Don't fear the penguin<
   irc: Night-Shade on Quakenet    /(   )\
                                    ^^-^^

Do not meddle in the affairs of dragons, 
for you are crunchy and taste good with ketchup.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html