Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: LDAP Scan increase. Win98 ASN.1 patch, MyDoom Remover, Win98 free update CD - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
LDAP Scan increase. Win98 ASN.1 patch, MyDoom Remover, Win98 free update CD
LDAP scan increase
We are seeing a significant increase in scans for port 389. This port is
associated with LDAP. LDAP is used by a variety of different systems,
in particular Windows active directory. At this point, it is not clear
what these scans are attempting to accomplish. If you have any information,
in particular FULL PACKET CAPTURES (not just firewall logs), let us know.
The increase in port 389 scans is believed to be due to a new exploit
against the iMail LDAP server. The exploit has been posted here:
Windows 98 ASN.1 Patch

Readers reported to our handlers team that Microsoft is distributing a patch
for the ASN.1 issue to Windows 98 users per request. If you are running Windows
98, contact your Microsoft representative for the location of the patch.

As reported earlier, the ASN.1 advisory MS04-007 only covers newer versions of
Windows. Windows 98 is however still vulnerable.

Workaround: you may want to consider renaming or removing msasn1.dll. However, please test this fix carefully as it may break some software.

Careful! Do not trust any patches sent via e-mail.

MyDoom Remover release via Windows Update

Currently, Microsoft is offering a MyDoom virus remover via its Windows Update service.

Free Windows Patch CD

Microsoft offers a free patch CD for all currently supported versions of windows.
You can order a CD here:

Johannes Ullrich, SANS Institute

I will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANS London June 2022


4479 Posts
ISC Handler
Feb 23rd 2004

Sign Up for Free or Log In to start participating in the conversation!