Skip navigation.
Home

Fat-Fingered Worm Writers Strike Again

The Internet Storm Center has a post about a strange variant of the Big Yellow Worm that has been scanning an unusual port:
http://isc.sans.org/diary.html?storyid=2040

The port in question (2968/tcp) is reportedly used by the Netware version of SAV. Specifically, it's the port that rtvscan.nlm listens on. It also happens to be one off from the normal SAV port (2967/tcp). I had a chance to go over some of the captures that this beastie is sending out and it is identical to a variant that was released just before Christmas. No differences to account for the fact that it's attacking a Netware system.

That leads us to one of two possible conclusions:

1) The rtvscan.nlm file is vulnerable in every way to the non-Netware version or
2) The writer fat-fingered it and specified the wrong port number.

Now, given the fact that Netware has such a tiny, itty bitty installed base, which one do you think is more likely? Me, I'm going for option #2. Way to go dude.