Re: Concept Virus(CV) V.5 - Advisory and Quick analysis

["Michael H. Warfield" <mhw () wittsend com>]

On Tue, Sep 18, 2001 at 05:43:40PM -0400, Jose Nazario wrote:
> On Tue, 18 Sep 2001, Olle Segerdahl wrote:

> > Quick analysis indicates that it propagates itself in a number of
> > different ways:

> any info on how it determines the networks to spread to/ scan? the email
> and IIS vulnerability scans are what i'm talking about. is it assuming
> class B addresses?

> i ask because our netmasks around here are in the neighborhood of /22,
> though our severs are seeing scans from the whole /16.

        Seems to be weighted probablistic on octet boundries.  Probes to
a /16 are more probable than probes to /8 which are more probably than
to probes to /0.  Some reports indicate higher probability to /24 but
I can't personally confirm that (since I control all /24 range space
that any of my servers reside in).  Just because it's more likely
to probe within the /16 space it resides in, it doesn't mean that it
won't probe outside of it.  Quite the contrary, actually.

> i haven't been tracking the email propogation.

> thanks.

> ____________________________
> jose nazario                                               jose () cwru edu
>                    PGP: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
>                                      PGP key ID 0xFD37F4E5 (pgp.mit.edu)


        Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw () WittsEnd com
  (The Mad Wizard)      |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com