|
We have had one report of a user receiving traffic on multicast addresses
244.1.0.0 with a negative source port and a destination port of 4. Some firewalls translate the source port to 0. We are interested in any one else seeing similar traffic and packet traces. The source of German right wing spam making its round on the Internet the last few days has been identified as a variant of the sober worm. It is identified by a file called datacrypt.exe and is launched in the registry HKLM/software/microsoft/windows/currentversion/run/ The infection method is the same as Sober.G. On start up it connects to a time server in Berlin and then begins to send email messages. Reports are being received relating to vulnerabilities in Realplayer services. You may wish to block the ports listed below that the realplayer services uses on firewalls. That will not completely mitigate this vulnerability as it could be triggered by downloading (via http,ftp ...) a realplayer movie and running it locally. I would recommend until realplayer is patched on any vulnerable system that you disable realplayer as the default application for opening .RA, .RM, .RV or .RMJ. In XP you can do that by browsing to your c: drive and selecting a folder then from the tool bar select folder options and file types. Look for files opened by realplayer and change those to be opened by another application or to not have a default application. Well Known ports used by realservers. TCP port 7070 for connecting to pre-G2 RealServers TCP port 554 and 7070 for connecting to G2 RealServers UDP ports 6970 - 7170 (inclusive) for incoming traffic only |
Dan 42 Posts Jun 12th 2004 |
| Thread locked Subscribe |
Jun 12th 2004 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!
https://www.sans.edu
