Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Port 39999; Possible Vesser/W32.HLLW.Deadhat activity

Published: 2004-02-08
Last Updated: 2004-02-09 02:46:01 UTC
by Lorna Hutcheson (Version: 1)
0 comment(s)
For the most part, it was a pretty quiet day, with just the normal noise on the Internet. Here are some things:

Port 39999

Activity to port 39999 was reported today. It appears that may be attempts to connect to a Trojan called Trojan.mitglieder.b.html that sets up a proxy on this port and is used to send spam. Once a system is infected, the Trojan will notify certain sites of the compromise. For more information see

**As a side note, don't forget that many folks connecting to the Internet use DHCP and as a result, they often inheirit the IP of someone offering services or infected by malicious code that listens on a certain port. As a result, you may see unusual and maybe persistant connection attempts to the port on your box as a result.**

Possible Vesser/W32.HLLW.Deadhat activity

More reports of activity on ports 3127, 3128 and 1080 are coming in. This seems to be consistant with the worm Vesser/W32.HLLW.Deadhat activity. For more information on this see the diary entry from 7 February 04.

Lorna Hutcheson

0 comment(s)
Diary Archives