TCP Port 2967 Security

Accounting News
- Maine's Mayo Regional Hospital Selects Sage Intergy EHR September 7, 2010
Career News
- Juggling Multiple Job Offers and Interviews
Career – Monster
- 10 Tips to Improve the Quality of Your Networking September 7, 2010 Katrina Kibben
Citrix News
- Profile Streaming - Performance Gain? September 7, 2010 Michael Glover
Legal News
- Gilani joins government-apex court confrontation September 7, 2010
Recruiting News
- How to Get Your Executives to Pay Attention to Metrics (Part 1 of 2) - ERE Articles September 6, 2010
Recruiting – Blogs
- What Recruitment Metrics should I collect? September 7, 2010 Chris Brablc
Recruiting – Fordyce Letter
- How to Set Goals and Stick to Them! September 7, 2010 Brett Blair
Recruiting – Jobs
- Looking for A Recruiter September 2, 2010 Mike Brown
Virus News
- Microsoft investigates two-year-old IE bug September 7, 2010

Mon, 19th January, 2009 - Posted by Administration

The source jump from 40,000 to 80,000 with a large number of them originating in China. Recent tcp 2967 traffic appears to be related to an IRC BOT mostly aimed at colleges, but others, too. This following links give a rather good explanation of the exploit.

Related Links

Helpful hints: Look in C/windows for w32svc.exe. That’s a bad thing if you have it. Also, look in services for “Windows Network Firewall”, another bad thing.

Exploits an overflow condition in Symantec AV Corp. Masquerades as msupdates.exe, nod33.exe and wauclt.exe. Bot also connects back to an IRC server on a non-standard port. Lives in %windir%\system32 and is set as hidden and read only. Makes many registry changes to the netbt hive under HKLM\System\CurrentControlSet\Services and to the HKLM\SOFTWARE\Microsoft\Windows run and OLE keys. Runs IP scans en mass to discover other hosts to infect.