[60744] in North American Network Operators' Group
RE: microsoft.com - what happens when there is no DNS record
daemon@ATHENA.MIT.EDU (Ingevaldson, Dan (ISS Atlanta))
Fri Aug 15 11:15:10 2003
Date: Fri, 15 Aug 2003 11:14:03 -0400
From: "Ingevaldson, Dan (ISS Atlanta)" <dsi@iss.net>
To: "McBurnett, Jim" <jmcburnett@msmgmt.com>,
<Patrick_McAllister@WASHGAS.COM>, "Robbie Foust" <rfoust@duke.edu>
Cc: "Bryan Heitman" <bryan@bryanheitman.com>, <nanog@merit.edu>,
<owner-nanog@merit.edu>, "Chris Horry" <zerbey@wibble.co.uk>
Errors-To: owner-nanog-outgoing@merit.edu
Our assessment of worm's behavior is below:
If windowsupdate.com fails to resolve, it will return a -1, which is not
interpreted because this routine has no error checking. The worm then
attempts to send its SYN packets to 255.255.255.255, which may have done
some interesting things, but it looks like the Windows raw socket
implementation won't let that packet out. So basically, nothing
happens. =20
There might be some issues with cached DNS, but besides that it looks
like the majority of the infections won't be doing much of anything
besides eating CPU cycles on the infected hosts.
Regards,
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D
Daniel Ingevaldson
Engineering Manager, X-Force R&D
dsi@iss.net=20
404-236-3160
=20
Internet Security Systems, Inc.
The Power to Protect
http://www.iss.net=20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D
-----Original Message-----
From: McBurnett, Jim [mailto:jmcburnett@msmgmt.com]=20
Sent: Friday, August 15, 2003 10:26 AM
To: Patrick_McAllister@WASHGAS.COM; Robbie Foust
Cc: Bryan Heitman; nanog@merit.edu; owner-nanog@merit.edu; Chris Horry
Subject: RE: microsoft.com
good here thru AT&T and Broadwing..
Jim
-----Original Message-----
From: Patrick_McAllister@WASHGAS.COM
[mailto:Patrick_McAllister@WASHGAS.COM]
Sent: Friday, August 15, 2003 10:16 AM
To: Robbie Foust
Cc: Bryan Heitman; nanog@merit.edu; owner-nanog@merit.edu; Chris Horry
Subject: Re: microsoft.com
No problems here, UUNET out of DC....
=20
Robbie Foust
<rfoust@duke.edu> To: Chris Horry
<zerbey@wibble.co.uk> =20
Sent by: cc: Bryan Heitman
<bryan@bryanheitman.com>, nanog@merit.edu =20
owner-nanog@merit Subject: Re:
microsoft.com =20
.edu
=20
=20
08/15/2003 10:04
AM
=20
I've had no problem getting to Microsoft's site(s) today...I'm in the
southeastern US if it makes a difference.
- Robbie
Chris Horry wrote:
>
> Bryan Heitman wrote:
>
>> Several networks I have talked to are reporting they can't get to=20
>> www.microsoft.com
>>
>> Has the virus began? anyone?
>
>
> Yep, remember it's already August 16th in some parts of the world.=20
> Unable to get to www.microsoft.com at 0958 EDT.
>
> Chris
>
--
Robbie Foust, IT Analyst
Systems and Core Services
Duke University
