For the most part, it was a pretty quiet day, with just the normal noise on the Internet. Here are some things:

Port 39999

Activity to port 39999 was reported today. It appears that may be attempts to connect to a Trojan called Trojan.mitglieder.b.html that sets up a proxy on this port and is used to send spam. Once a system is infected, the Trojan will notify certain sites of the compromise. For more information see

http://www.symantec.com/avcenter/venc/data/trojan.mitglieder.b.html



**As a side note, don't forget that many folks connecting to the Internet use DHCP and as a result, they often inheirit the IP of someone offering services or infected by malicious code that listens on a certain port. As a result, you may see unusual and maybe persistant connection attempts to the port on your box as a result.**

Possible Vesser/W32.HLLW.Deadhat activity

More reports of activity on ports 3127, 3128 and 1080 are coming in. This seems to be consistant with the worm Vesser/W32.HLLW.Deadhat activity. For more information on this see the diary entry from 7 February 04.

http://isc.sans.org/diary.html?date=2004-02-07


Lorna Hutcheson