April 23rd, 2004 06:24 PM
Well........If by somone was trying to acess a Japan port 300 times from an internal machine. Do you mean that you detected some one in your office trying to acess it? Or is it from the outside?
April 26th, 2004 01:47 PM
Ok.. here is what happened:
On different infected machines we found three different worms:
These worms are NOT documented by Symantec (we submitted all the infected files to them and never got any reply). We got more info from our investigations and finally found some infromation from the trend micro website.
Since we didn't found any removal tool for this worm we coded one that simply removes registry entries and various files that it writes on the disk. Now that we ran the fix on all the infected workstations the situation is back to normal.
One last interesting thing... when doing a "strings" on one of the infected file we can clearly see that one of them is called "rBot"
Thanks to you for submitting your ideas,