Hosted Environments
Managed Application Hosting, Web Hosting, and Mail Hosting Services. Superior performance, reliability and personalized service.

Call Us : 866-764-8324 (TECH)

Email : support@hostedenvironments.net

TCP Port 2967 Security

Mon, 19th January, 2009 - Posted by Administration

The source jump from 40,000 to 80,000 with a large number of them originating in China. Recent tcp 2967 traffic appears to be related to an IRC BOT mostly aimed at colleges, but others, too. This following links give a rather good explanation of the exploit.

Related Links

  1. Arbor Networks
  2. That New Bot: IRC Bot attacking Symantec Overflow

Helpful hints: Look in C/windows for w32svc.exe. That’s a bad thing if you have it. Also, look in services for “Windows Network Firewall”, another bad thing.

Exploits an overflow condition in Symantec AV Corp. Masquerades as msupdates.exe, nod33.exe and wauclt.exe. Bot also connects back to an IRC server on a non-standard port. Lives in %windir%\system32 and is set as hidden and read only. Makes many registry changes to the netbt hive under HKLM\System\CurrentControlSet\Services and to the HKLM\SOFTWARE\Microsoft\Windows run and OLE keys. Runs IP scans en mass to discover other hosts to infect.

Category : Security
Share/Save/Bookmark

You must be logged in to post a comment.