[58929] in North American Network Operators' Group
Re: Bugbear.b (worm du jour)
daemon@ATHENA.MIT.EDU (Eric Anderson)
Thu Jun 5 22:10:20 2003
Date: Thu, 5 Jun 2003 19:09:46 -0700
From: Eric Anderson <anderson@cs.uoregon.edu>
To: Jack Bates <jbates@brightok.net>
Cc: nanog@merit.edu
Mail-Followup-To: Jack Bates <jbates@brightok.net>, nanog@merit.edu
In-Reply-To: <3EDFF47B.8030706@brightok.net>; from jbates@brightok.net on Thu, Jun 05, 2003 at 08:55:07PM -0500
Errors-To: owner-nanog-outgoing@merit.edu
Maybe I should clarify: By "very slowly" I meant that this should spread
significantly more slowly than something which is able to exploit a
vulnerability and start executing as soon as it finds a susceptible host. If
it's been in the wild for 12 hours without compromising most of the vulnerable
hosts, that's slow relative to what's possible.
Thus spake Jack Bates (jbates@brightok.net):
[snip]
>
> That is a very bad assumption to make. Not all AV software can detect
> the various variations of it yet. In addition, there are many EU's that
> will still run any executable that shows up in their inbox. Many reports
> of the Microsoft Patch scam being used with this one.
>
> It is multi-part mime, so my current stripping methods will protect the
> mailboxes on my system.
>
> -Jack
