[68153] in North American Network Operators' Group
RE: dealing with w32/bagle
daemon@ATHENA.MIT.EDU (Mike Damm)
Wed Mar 3 17:59:37 2004
From: Mike Damm <MikeD@irwinresearch.com>
To: "'Brent_OKeeffe@asc.aon.com'" <Brent_OKeeffe@asc.aon.com>,
Dan Hollis <goemon@anime.net>
Cc: "'nanog@merit.edu'" <nanog@merit.edu>
Date: Wed, 3 Mar 2004 14:55:52 -0800
Errors-To: owner-nanog-outgoing@merit.edu
> We created bogus DNS entries for the following entries, known to be
targeted by the worm:
> www.sportscheck.de
> www.songtext.net
> www.songtext.de
> www.maiklibis.de
> www.gfotxt.net
> postertog.de
> permail.uni-muenster.de
For what its worth ns{1,2,3,4}.everydns.net will answer for the wormy
domains with 127.0.0.1 to help mitigate phone-home traffic.
I just registered gfotxt.net (some appear to be registered while others are
not) with the proper name servers and it should be visible worldwide along
the normal timeline. Parties with control over the other mentioned domains
or end user resolution are more than welcome to point them our way.
We'll be generating some statistical data on DNS traffic and summarizing for
anyone interested.
-Mike
