>close tcp port 3127 on client side You would have to block the whole range from 3127 to 3198 an not just 3127. But this blocks just the remote access component and not the smtp component of it. See http://vil.nai.com/vil/content/v_100983.htm for more details.
Adrian -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Roger Buchwalder Sent: Tuesday, January 27, 2004 10:59 PM To: [EMAIL PROTECTED] Subject: Re: [swinog] New worm is spreading fast... Hello can confim that too Mydoom is the name. close tcp port 3127 on client side (they who are already infected) will help... Rog Michel Renfer schrieb: > Hi All > > We see more and more blocked emails in our antivirus deamon for this > type of virus: > > Antivirus Nachricht(en): > infected with Win32.HLLM.MyDoom.32768 > > Seems to be a very bad one... > > >>[EMAIL PROTECTED] is a mass-mailing worm. The worm will arrive >>as an attachment with a file extension of .bat, .cmd, .exe, >>.pif, .scr, or .zip. >> >>When the machine gets infected, the worm will set up a >>backdoor into the system by opening TCP ports 3127 thru 3198. >>This will potentially allow a hacker to connect to the >>machine and utilize it as a proxy to gain access to it's >>network resources. In addition, the backdoor has the ability >>to download and execute arbitrary files. >> >>The worm will perform a DoS starting on February 1, 2004. On >>February 12, 2004 the worm has a trigger date to stop spreading. >> > > > > regards, > michel > ---------------------------------------------- > [EMAIL PROTECTED] Maillist-Archive: > http://www.mail-archive.com/swinog%40swinog.ch/ > > ---------------------------------------------- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/ ---------------------------------------------- [EMAIL PROTECTED] Maillist-Archive: http://www.mail-archive.com/swinog%40swinog.ch/
