In article <p9g4b.718$Ok2.6940742@news-text.cableinet.net>,
Dom  <dombucket@blueyonder.co.uk> wrote:

Gary Heston wrote:

In article <birofc$nak$2@hercules.btinternet.com>,
Nick M V Salmon <spam_dump@btinternet.com> wrote:

"BW" <noone@nowhere.com> wrote

Don't know if this is it, but I have seen "Pings" at about a 2 / min rate
hitting my firewall in the same time frame.    [ ... ]

Blaster worm, it figures, I'd thought it might be that because the problem
started at roughly the same time that was set lose 'into the wild'. :-/

It's not MS Blaster, it's the SOBIG.F email worm. MS Blaster and Wachia (the
anti-blaster disaster) target the RPC port instead of doing a ping.

The Welchia worm tries to use pings to locate other machines that
may be infected:

<http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html>

You're correct; I'm confused from all the crap that's been hitting us 
at work. In the middle of the SOBIG.F/Welchia hit, our firewall died,
causing us a _lot_ of fun...  :-(

I have seen two cases of corporate networks infected with this one and
in both cases the networks were virtually unusable due to the number
of ICMP packets being sent.

I was lucky - I run W98 and Linux - neither of which can get infected
with these viruses. But it doesn't stop them from trying.  Zone Alarm
is blocking 4-5 ICMP Type 8's a minute and the cable modem activity
light is on almost constantly.

   [ ... ]

At the moment, I've got 206 his in the last couple of hours; all but a
handfull are pings or port 135 probes. This on a dial-up, where I have
a unusually fast 33.6kb connection.

Had a few probes to port 17300; probably the next fun thing to deal with...


Gary

-- 
Gary Heston  gheston@hiwaay.net 

Remember that the Patriot Act was written not by patriots, but by
politicians seeking votes and bureaucrats seeking power.