Kowbot worm targets Kazaa network

Discussion in 'malware problems & news' started by spy1, Jul 1, 2002.

Thread Status:
Not open for further replies.
  1. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    "By James Middleton [01-07-2002]

    Virus masquarades as appealing media files

    Users of the Kazaa file-sharing network were today warned about the second virus in as many months to infect users.

    The virus, known as the Kowbot worm, is able to take control of the victim's computer as well as update itself automatically and send information out from the host machine. It can also be used as a remote control internet relay chat (IRC) bot and to attack IRC chat servers."

    Rest of article here: http://www.vnunet.com/News/1133129 . Pete
     
  2. Prince_Serendip

    Prince_Serendip Registered Member

    Joined:
    Apr 8, 2002
    Posts:
    819
    Location:
    Canada
    :eek: I've had over 60 hits to my Port #1214 since 22:51 from the Kazaa Service, various Intruder IP's. And, what's really strange is the Local IP is not mine! I suppose it's on my LAN. I shall report to my ISP and I have already sent this data to Dshield. My ZA is lit up like a Xmas tree! The time is now 23:22! :rolleyes:
     
  3. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hello,

    This has nothing to do with the new worm and that's not really "intruders".
    If your are a user o kazaa or if your IP was formerly used by someone using kazaa, simply other PC ping this address to see whether it's still available for
    d/l. I happened to get hundreds of probes a day on port 1214 or gnutella port 6346 or 5631 default port PCAnywhere :)

    Just change you dynamic IP and you will be quiet (unless you get one also use by a kazaa user :))

    As for the address being not one of yours, how could ZA warn if not one of the interfaces of the PC he is protecting ?

    You may easily know your IP's : IPCONFIG /ALL (Win2k ir XP)
    or winipcfg (Win95/98/Me)

    Rgds,

    JacK
     
  4. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    I had the same IPs for along time and never used those networks. I haven't had a single proble on those ports. All SQL server, Sub7, ftp, and a few other straglers
     
  5. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    JacK is right (of course)

    I used KaZaa before the record companies hired some viruswriters ( I'm joking, obviously) and do get about 40 of these checks on port 1214 every evening.

    Prince_Serendip, you must have some interesting stuff to d/l

    Regards,

    Pieter
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,312
    Location:
    Netherlands
    For those looking for a removal tool: http://php.zdnet.de/download/showprg-wc.php3?id=de0DP1

    [EDIT] Bitdefender has added a tool to their collection as well:
    http://www.bitdefender.com/html/free_tools.php [/EDIT]

    Regards,

    Pieter
     
  7. Prince_Serendip

    Prince_Serendip Registered Member

    Joined:
    Apr 8, 2002
    Posts:
    819
    Location:
    Canada
    Thanks for the reassurances! :) I got very excited because I have NEVER had probes from the Kazaa Service before. And also, never have I had an alternate Local IP come up before! I will check my IP cfg. What's really bizarre is this all started after I read this posting last night. Weird!

    (At the time, I couldn't check on it because I had to leave right away.) I informed my ISP about the different IP showing up on the ZA reading. They said they'd check from their end. I do not use Kazaa. Never have, not ever!
     
  8. Prince_Serendip

    Prince_Serendip Registered Member

    Joined:
    Apr 8, 2002
    Posts:
    819
    Location:
    Canada
    I used winipcfg in the Run Command. My Local IP is set to 0.0.0.0 These are default settings of my ISP's DSL Program. Can I or should I enter my actual IP? Something else? I can also check this with my ISP. What do you think?

    I checked this through at Dshield, and you're right. It's of Low Danger/Priority (green). (This whole thing is about my learning more a little at a time! This is good. Thanks for the patience.) :)
     
Loading...
Thread Status:
Not open for further replies.