Outbreak of a virus on campus, scanning tcp 80/6129/1025/3127

[Jeff Kell <jeff-kell () utc edu>]

We have had a significant outbreak of a yet-unidentified virus on campus 
 covering several dozen machines and one remote lab (possibly 100 in 
all).  The characteristics I have observed remotely (no possibility of 
forensics at the moment, just shutting down ports) are as follows:

* listens on two random, high-numbered tcp ports
* picks a random address within the infected machine's /8 subnet
* scans (in order) 80, 6129, 1025, 3127 (all tcp) from ephemeral
  source ports (the source port is not fixed).

It could have gained entry via tcp/1025 as all the others are blocked on 
ingress, or it could have been brought inside via laptop.  Strangely 
enough it has not been detected in our dorms (where most of our slime 
tends to grow).  An off-campus lab connected via half a T1 was almost 
entirely consumed, I have shutdown their serial interface (can't 
diagnose this one as the packet loss was incredibly high).

I suspect this originated as one of the MS04-xxxx exploits patched last 
week, we've already done this exercise with other RPC-ish 
vulnerabilities and taken time to update lab machines.

Sound familiar to anyone?

Jeff Kell
University of Tennessee at Chattanooga


---------------------------------------------------------------------------
----------------------------------------------------------------------------