Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Beagle Backdoor Port, Wakeup Call from NetSky.G and NetSky.H

Published: 2004-03-06
Last Updated: 2004-03-07 18:37:03 UTC
by Joshua Wright (Version: 1)
0 comment(s)
Beagle Backdoor Port

All variants of the Beagle virus so far have opened a listener on TCP/2745. One source has indicated that there is underground activity in making this port accessible for arbitrary remote code execution on Beagle infected machines. We've seen an increase in scanning for this port over the past few days as well. Organizations can use this "feature" of the Beagle virus to scan their own networks to track down infected machines by scanning for TCP/2745.

Wakeup Call from NetSky.G and NetSky.H

Symantec Security Response reported that systems infected with NetSky G and H variants will get a wakeup call from their PC speakers on March 8th between 11:00am and 12:00pm local time (H variant) or March 10th between 6:00am and 9:00am local time (G variant):
"If an infected computer's time is between 6:00 A.M. and 9:00 A.M. on Tuesday, March 10, 2004, the PC speaker will beep in a continuous loop. Each beep will be for a random period of time, at a random frequency."

http://www.sarc.com/avcenter/venc/data/w32.netsky.g@mm.html

"If an infected computer's system clock is between 11:00 A.M. and 12:00 P.M. on March 8, 2004, the PC speaker will beep in a continuous loop. Each beep will be for a random period of time, at a random frequency."

http://www.sarc.com/avcenter/venc/data/w32.netsky.h@mm.html

Note that March 10th, 2004 is a Wednesday, not a Tuesday as indicated on the Symantec website. Thanks to the astute reader who poined this out.

--Joshua Wright/Handler on Duty
Keywords:
0 comment(s)
Diary Archives