RE: in case nobody else noticed it, there was a mail worm released today
This lovely little worm will start beating on the door at www.sco.com come Feb 1/04. Interesting huh? At 09:01 PM 26/01/2004 -0500, Wojtek Zlobicki wrote:
The worm is being talked about on news.com and all the major virus vendors already have advisories on their websites. The worm in my case masqueraded as a Mailer Daemon bounce. Source email address appeared to be valid and matching a domain of a website I visited recently (but have not for a long time). Anyone know the worm generates the sending domain.
-----Original Message----- From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Paul Vixie Sent: Monday, January 26, 2004 8:52 PM To: nanog@merit.edu Subject: in case nobody else noticed it, there was a mail worm released today
my copies (500 or so, before i filtered) are in a ~7MB gzip'd mailbox file called http://sa.vix.com/~vixie/mailworm.mbox.gz (plz don't fetch that unless you need it for comparison or analysis). there's a high degree of splay in the smtp/tcp peer address, and the sender is prepared to try backup MX's if the primary rejects it, though it appears to try the MX's in priority order.
This lovely little worm will start beating on the door at www.sco.com come Feb 1/04. Interesting huh?
Wonder if we should all be proactive to prevent the DoS attack, and drop the A records for www.sco.com now? Just in case any customers' clocks are set forward ;-) This virus, so far, has been the most prolific (in terms of copies per hour) I've seen on a number of sites' (our own included) virus scanning servers, not a good sign. It did slow down by around 10% at COB AEDT but I wouldn't be surprised to see a big surge as the US business day starts. Even just my personal inbox is getting around 5/minute (direct copies combined with bounces from forged messages). Interestingly, the vast majority of the bounces are to an address that has never been used to send mail, and is only rarely given over the phone, david@<domain-of-isp-i-work-for>. One of the virus scanners here is getting around 20/second. David.
participants (2)
-
David Luyer
-
Timo Janhunen