[68137] in North American Network Operators' Group
Re: dealing with w32/bagle
daemon@ATHENA.MIT.EDU (Brent_OKeeffe@asc.aon.com)
Wed Mar 3 16:13:10 2004
To: Dan Hollis <goemon@anime.net>
Cc: "'nanog@merit.edu'" <nanog@merit.edu>
From: Brent_OKeeffe@asc.aon.com
Date: Wed, 3 Mar 2004 14:40:56 -0600
Errors-To: owner-nanog-outgoing@merit.edu
This is a multipart message in MIME format.
--=_alternative 0071991585256E4C_=
Content-Type: text/plain; charset="us-ascii"
We created bogus DNS entries for the following entries, known to be
targeted by the worm:
www.sportscheck.de
www.songtext.net
www.songtext.de
www.maiklibis.de
www.gfotxt.net
postertog.de
permail.uni-muenster.de
The entries directed traffic to an interface on a router that can handle
the traffic. Currently, we have a logging ACL that drops port 80 to the
bogus IP. We might connect a sniffer with that IP address at some point
with triggers loaded to notify when systems attempt to access the address.
So far this has helped.
Any other suggestions are welcome.
Brent
Dan Hollis <goemon@anime.net>
Sent by: owner-nanog@merit.edu
03/03/2004 03:24 PM
To: "'nanog@merit.edu'" <nanog@merit.edu>
cc:
Subject: dealing with w32/bagle
I am curious how network operators are dealing with the latest w32/bagle
variants which seem particularly evil.
Also, does anyone have tools for regexp and purging these mails from unix
mailbox (not maildir) mailspool files? Eg purging these mails after the
fact if they were delivered to user's mailboxes before your virus scanner
got a database update.
-Dan
--=_alternative 0071991585256E4C_=
Content-Type: text/html; charset="us-ascii"
<br><font size=2 face="sans-serif">We created bogus DNS entries for the following entries, known to be targeted by the worm:</font>
<br><font size=2 face="sans-serif">www.sportscheck.de</font>
<br><font size=2 face="sans-serif">www.songtext.net</font>
<br><font size=2 face="sans-serif">www.songtext.de</font>
<br><font size=2 face="sans-serif">www.maiklibis.de</font>
<br><font size=2 face="sans-serif">www.gfotxt.net</font>
<br><font size=2 face="sans-serif">postertog.de</font>
<br><font size=2 face="sans-serif">permail.uni-muenster.de</font>
<br>
<br><font size=2 face="sans-serif">The entries directed traffic to an interface on a router that can handle the traffic. Currently, we have a logging ACL that drops port 80 to the bogus IP. We might connect a sniffer with that IP address at some point with triggers loaded to notify when systems attempt to access the address. So far this has helped.</font>
<br>
<br><font size=2 face="sans-serif">Any other suggestions are welcome.</font>
<br>
<br><font size=2 face="sans-serif">Brent</font>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td>
<td><font size=1 face="sans-serif"><b>Dan Hollis <goemon@anime.net></b></font>
<br><font size=1 face="sans-serif">Sent by: owner-nanog@merit.edu</font>
<p><font size=1 face="sans-serif">03/03/2004 03:24 PM</font>
<br>
<td><font size=1 face="Arial"> </font>
<br><font size=1 face="sans-serif"> To: "'nanog@merit.edu'" <nanog@merit.edu></font>
<br><font size=1 face="sans-serif"> cc: </font>
<br><font size=1 face="sans-serif"> Subject: dealing with w32/bagle</font></table>
<br>
<br>
<br><font size=2 face="Courier New"><br>
I am curious how network operators are dealing with the latest w32/bagle <br>
variants which seem particularly evil.<br>
<br>
Also, does anyone have tools for regexp and purging these mails from unix <br>
mailbox (not maildir) mailspool files? Eg purging these mails after the <br>
fact if they were delivered to user's mailboxes before your virus scanner <br>
got a database update.<br>
<br>
-Dan<br>
<br>
</font>
<br>
<br>
--=_alternative 0071991585256E4C_=--
