[68952] in North American Network Operators' Group
Re: Hi (fwd)
daemon@ATHENA.MIT.EDU (Matthew Sullivan)
Thu Mar 18 17:07:16 2004
Date: Fri, 19 Mar 2004 08:06:45 +1000
From: Matthew Sullivan <matthew@sorbs.net>
In-reply-to: <Pine.LNX.4.44.0403172143050.2114-100000@sokol.elan.net>
To: "william(at)elan.net" <william@elan.net>
Cc: nanog@merit.edu
Errors-To: owner-nanog-outgoing@merit.edu
william(at)elan.net wrote:
>FYI - if you're on windows machine DON'T TRY TO FOLLOW URL in that post
>
>Somebody sent me a copy of the content and its vbscript that downloads an
>image converts it into executable and then probably uses some bug in
>microshit products to have it executed. I'm not that good with windows
>scripting so whoever of the security people here wants to see it futher if
>you can not get it yourself, let me know. Its possible this maybe zombie
>making virus using nanog to replicate (somebody's sick joke) but possibly
>its more general with other lists too. Spammers and virus writers joined
>together are getting nastier and nastier.
>
>
It's another varient of Bagle...
My analysis of it is at: http://www.au.sorbs.net/virus.explain.txt -
since then Symantec has release it's more detailed explaination under
the headings for Bagle.r and Bagle.s
/ Mat
