[69403] in North American Network Operators' Group
RE: worm information
daemon@ATHENA.MIT.EDU (Christopher J. Wolff)
Sat Apr 10 14:37:55 2004
From: "Christopher J. Wolff" <chris@bblabs.com>
To: <ravi@cow.org>, "'Darrell Greenwood'" <lists2@telus.net>
Cc: "'nanog list'" <nanog@merit.edu>
Date: Sat, 10 Apr 2004 11:37:15 -0700
In-Reply-To: <20040410183029.GR58410@happy.cow.org>
Errors-To: owner-nanog-outgoing@merit.edu
Thank you for the input. The 'unique' feature of this infestation is that
affected hosts don't transmit a lot of data...however they do open up
thousands of flows in a very short time. Perhaps that's not unique but it
certainly is annoying.
Regards,
Christopher J. Wolff, VP CIO
Broadband Laboratories, Inc.
http://www.bblabs.com
> -----Original Message-----
> From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of
> ravi pina
> Sent: Saturday, April 10, 2004 11:30 AM
> To: Darrell Greenwood
> Cc: 'nanog list'
> Subject: Re: worm information
>
>
> On Sat, Apr 10, 2004 at 11:19:19AM -0700, Darrell Greenwood said at one
> point in time:
> >
> > On 04/4/10 at 1:53 PM -0400, Jeff Workman wrote the following :
> >
> >
> >http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.um.htm
> >
> > File Not Found... 'l' missing from end of 'htm'.
> >
> >
> http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.um.html
>
> this is correct. my organization has been infected with this
> and it is a particular nasty little bugger. we may have been
> 'patient 0' in terms of sending copies of the virus to symantec
> so they could write signatures for it. infected hosts flood
> the network with a tremendous amount of data and port opening.
>
> i at least manged to quarantine off all my vpn devices which
> seemed to be the entry point.
>
> -r
>
