[66837] in North American Network Operators' Group
RE: in case nobody else noticed it, there was a mail worm
daemon@ATHENA.MIT.EDU (Timo Janhunen)
Tue Jan 27 02:13:20 2004
Date: Tue, 27 Jan 2004 02:08:52 -0500
To: "Wojtek Zlobicki" <wojtekz@idirect.com>,
"'Paul Vixie'" <paul@vix.com>, <nanog@merit.edu>
From: Timo Janhunen <timo@aci.ca>
In-Reply-To: <20040127015831.UCHO286904.fep01-mail.bloor.is.net.cable.ro
gers.com@ender>
Errors-To: owner-nanog-outgoing@merit.edu
This lovely little worm will start beating on the door at www.sco.com come
Feb 1/04. Interesting huh?
At 09:01 PM 26/01/2004 -0500, Wojtek Zlobicki wrote:
>The worm is being talked about on news.com and all the major virus vendors
>already have advisories on their websites. The worm in my case masqueraded
>as a Mailer Daemon bounce. Source email address appeared to be valid and
>matching a domain of a website I visited recently (but have not for a long
>time). Anyone know the worm generates the sending domain.
>
>-----Original Message-----
>From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of Paul
>Vixie
>Sent: Monday, January 26, 2004 8:52 PM
>To: nanog@merit.edu
>Subject: in case nobody else noticed it, there was a mail worm released
>today
>
>
>my copies (500 or so, before i filtered) are in a ~7MB gzip'd mailbox file
>called http://sa.vix.com/~vixie/mailworm.mbox.gz (plz don't fetch that
>unless you need it for comparison or analysis). there's a high degree of
>splay in the smtp/tcp peer address, and the sender is prepared to try backup
>MX's if the primary rejects it, though it appears to try the MX's in
>priority order.
