The following came through dshield which warns about new worm: --- To: dshieldannounce@dshield.org Subject: [Dshieldannounce] likely RPC worm captured. Moving to infocon 'yellow' We received a copy of a binary that very much looks like an RPC worm. Preliminary info: - scans for port 135 as soon as it starts point) more details will be posted at http://isc.sans.org as they become available. Please submit code captures and the like to 'handlers@sans.org' -- SANS - Internet Storm Center http://isc.sans.org On Mon, 11 Aug 2003, Jack Bates wrote:
I'm showing signs of an RPC sweep across one of my networks that's killing some XP machines (only XP confirmed). How wide spread is this at this time. Also, does anyone know if this is just generating a DOS symptom or if I should be looking for backdoors in these client systems?
-Jack