[Full-Disclosure] sharp increase on 27347/TCP
khermansen at ht-technology.com
Tue Oct 28 23:13:04 GMT 2003
Look like W32/Spybot.worm.gen discovered on 4/23/2003 and documented here by
"The worm copies itself around and into the folder defined by
"Kazaa\localcontent" registry key and into "kazaabackupfiles" subdirectory.
Some copies may have enticing names (like "porn.exe", "Matrix Screensaver
1.5.scr", "Smart Ripper v2.7.exe", etc.) so other people may download the
worm through P2P file sharing program. Once the downloaded copy of the worm
is executed the cycle repeats itself. Some variants can scan subnets for
systems already infected by sub7 or kuang2 to spread furhter."
So possibly a whole bunch of hosts on Kazaa became infected rapidly and that
is why we see the spike. To support this, check out who the offending
parties are here:
Looks like Cable/DSL subscribers for the most part. Any thoughts?
Also documented here (notice "research pending") for tcp/27347:
CEO - H&T Technology Solutions
Full-Disclosure is hosted and sponsored by Secunia.