[44003] in North American Network Operators' Group
kornet.net abuse desk is mailing out W32.Nimda.E@mm worm
daemon@ATHENA.MIT.EDU (Kai Schlichting)
Tue Oct 30 13:37:14 2001
Date: Tue, 30 Oct 2001 13:36:37 -0500
From: Kai Schlichting <kai@pac-rim.net>
Message-ID: <195358945566.20011030133637@conti.nu>
To: nanog@merit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Errors-To: owner-nanog-outgoing@merit.edu
If you or your staff have dealt with kornet.net (a Korean ISP belonging
to Korean Telecom), and specifically abuse@kornet.net in the past, beware:
It seems that they've been overrun by the brand-spanking-new W32.Nimda.E@mm
worm (**) sometimes late last night.
Specific case in hand: yesterday at 9:40pm EST, I received a mail
with a Subject: line of an UNRELATED abuse issue (hello MFNX/XO/
Above.net :) that contains a MIME attachment with an auto-playing
"sound file" of sample.exe , openened in an <iframe> of your favorite
Microsoft email client. Source IP of the mailing : 210.222.17.36 (/24).
Mental note to all abuse desk personnel and publicly visible contacts:
do not use Microsoft, or any other widely used piece of software to
read and process your mail. Auto-adding mail senders to your Outlook
addressbook could be considered a deadly sin. Anti-Virus software
with definitions older than 24 hrs seem to be a real hazard, too.
bye,Kai
(**)
http://securityresponse.symantec.com/avcenter/venc/data/w32.nimda.e@mm.html
