[44005] in North American Network Operators' Group
Re: kornet.net abuse desk is mailing out W32.Nimda.E@mm worm
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Tue Oct 30 14:14:33 2001
From: "Steven M. Bellovin" <smb@research.att.com>
To: Kai Schlichting <kai@pac-rim.net>
Cc: nanog@merit.edu
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Tue, 30 Oct 2001 14:13:42 -0500
Message-Id: <20011030191342.88B817C01@berkshire.research.att.com>
Errors-To: owner-nanog-outgoing@merit.edu
In message <195358945566.20011030133637@conti.nu>, Kai Schlichting writes:
>
>If you or your staff have dealt with kornet.net (a Korean ISP belonging
>to Korean Telecom), and specifically abuse@kornet.net in the past, beware:
>It seems that they've been overrun by the brand-spanking-new W32.Nimda.E@mm
>worm (**) sometimes late last night.
>
>Specific case in hand: yesterday at 9:40pm EST, I received a mail
>with a Subject: line of an UNRELATED abuse issue (hello MFNX/XO/
>Above.net :) that contains a MIME attachment with an auto-playing
>"sound file" of sample.exe , openened in an <iframe> of your favorite
>Microsoft email client. Source IP of the mailing : 210.222.17.36 (/24).
Note, however, that the From: line on these Nimda variants is also
forged; see http://securityresponse.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html
for details. (I received several messages saying that some mail I sent
was infected with Nimda.E. This struck me as quite improbable, since I
use NetBSD for all my email and other real work.)
--Steve Bellovin, http://www.research.att.com/~smb
Full text of "Firewalls" book now at http://www.wilyhacker.com
