[61086] in North American Network Operators' Group
RE: Brace yourselves.. W32/Sobig-F about to mutate...
daemon@ATHENA.MIT.EDU (Todd Mitchell - lists)
Fri Aug 22 14:31:47 2003
From: "Todd Mitchell - lists" <lists@ciphin.com>
To: "'Stephen J. Wilcox'" <steve@telecomplete.co.uk>,
<Valdis.Kletnieks@vt.edu>
Cc: <nanog@merit.edu>
Date: Fri, 22 Aug 2003 14:21:51 -0400
In-Reply-To: <Pine.LNX.4.44.0308221913430.7076-100000@MrServer>
Errors-To: owner-nanog-outgoing@merit.edu
| Stephen J. Wilcox
| Sent: Friday, August 22, 2003 2:15 PM
| To: Valdis.Kletnieks@vt.edu
| Cc: nanog@merit.edu
| Subject: Re: Brace yourselves.. W32/Sobig-F about to mutate...
|
| On Fri, 22 Aug 2003 Valdis.Kletnieks@vt.edu wrote:
|
| > A quick heads up, if anybody hasn't heard:
| >
| > At 1900GMT today, ET phones home, and picks up the next payload of
| > instructions. Nobody knows (yet) what they'll be, but SoBig-E
erased
| itself,
| > put in a password grabber, and then installed a mail proxy for
spammer
| use.
|
| "On this moment, the worm starts to connect to machines found from an
| encrypted
| list hidden in the virus body. The list contains the address of 20
| computers
| located in USA, Canada and South Korea."
|
| erm so why dont we just block (preferably bgp null route) these sites?
I believe that InterNAP has already implemented this in all of their
PNAP's.
Todd
--
