Roxy is also known as 'Randex' We have seen some vendor laptops come in infected with this. One 'undocumented' feature we have found related to this is the presence of the serv-u ftp server listening on port 81 of these machines.
>Message: 20 >Subject: RE: [Full-Disclosure] Increased TCP 139 Activity >Date: Wed, 8 Oct 2003 10:57:26 -0500 >From: "Williams Jon" <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] > > >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >I've had two machines act as if they were infected with something, >one on Saturday, and then one on Monday. They each went through and >tried to scan a whole Class B network (it failed, due to our >firewalls) on ports 139 and 445, both ports per address, one packet >per host. Each "infected" machine stopped when they reached the end >of the Class B. Neither machine "selected" a network to scan that >was related to their own IP address. Both machines scanned >non-sequentially. > >Both machines were taken offline and scanned for viruses. Both >showed positive for Blaster and one showed positive for a backdoor >called Roxy(?). Both were cleaned and patched and reconnected, and >we haven't seen another scan like that since, although we've been >watching closely. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
