Re: Sortta OT: How do I see "Win32.Worm.Allaple.Gen" traffic…

Top Page
This message is part of the following thread:
M\the complete thread tree sorted by date
MMJames Finstrom at <-
Mwalter tocalini at ->
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Technomage
Date:  
To: plug-discuss
Subject: Re: Sortta OT: How do I see "Win32.Worm.Allaple.Gen" traffic in my Linux firewall?
On 5/19/10 5:44 PM, wrote:
> Hello World:
> Long story short:
> I got an "official" notification that a computer behind my Linux
> firewall has the "Win32.Worm.Allaple.Gen" virus.
> I have some 150 puters NAT(ed) behind that firewall and no access
> whatsoever to any of them.
> Question is:
> What can I do at the Firewall level to identify the virus' traffic so
> I can harvest the puter's IP address...
> Thanks!
> ET
from
http://www.threatexpert.com/report.aspx?md5=732f8e67310a1de1c945948bda2512eb
***********
Summary of the findings:
What's been found:
A network-aware worm that uses known exploit(s) in order to replicate
across vulnerable networks.
MS04-012: DCOM RPC Overflow exploit - replication across TCP
135/139/445/593 (common for Blaster, Welchia, Spybot, Randex, other IRC
Bots).
Contains characteristics of an identified security risk.
***********
---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-Re: Killing PLUG softlyRe: Sortta OT: How do I see "Win32.Worm.Allaple.Gen" traffic in my Linux firewall?->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)