[69404] in North American Network Operators' Group
Re: worm information
daemon@ATHENA.MIT.EDU (ravi pina)
Sat Apr 10 14:44:16 2004
Date: Sat, 10 Apr 2004 14:43:37 -0400
From: ravi pina <ravi@cow.org>
To: "Christopher J. Wolff" <chris@bblabs.com>
Cc: ravi@cow.org, 'Darrell Greenwood' <lists2@telus.net>,
'nanog list' <nanog@merit.edu>
Reply-To: ravi@cow.org
In-Reply-To: <B0007607417@mail.bblabs.net>
Errors-To: owner-nanog-outgoing@merit.edu
hmm, honestly i can't vouch for the data rate personally.
a co-worker said the counters on the VPN connections were
grossly disproportionate for a short time sample.
bottom line, it is indeed annoying. i know my server
and desktop groups have been having a hell of a time
disinfecting hosts. i know part of this was that
symantec, at the time, said it may be a polymorphic
strain.
-r
On Sat, Apr 10, 2004 at 11:37:15AM -0700, Christopher J. Wolff said at one point in time:
> Thank you for the input. The 'unique' feature of this infestation is that
> affected hosts don't transmit a lot of data...however they do open up
> thousands of flows in a very short time. Perhaps that's not unique but it
> certainly is annoying.
>
> Regards,
> Christopher J. Wolff, VP CIO
> Broadband Laboratories, Inc.
> http://www.bblabs.com
>
> > -----Original Message-----
> > From: owner-nanog@merit.edu [mailto:owner-nanog@merit.edu] On Behalf Of
> > ravi pina
> > Sent: Saturday, April 10, 2004 11:30 AM
> > To: Darrell Greenwood
> > Cc: 'nanog list'
> > Subject: Re: worm information
> >
> >
> > On Sat, Apr 10, 2004 at 11:19:19AM -0700, Darrell Greenwood said at one
> > point in time:
> > >
> > > On 04/4/10 at 1:53 PM -0400, Jeff Workman wrote the following :
> > >
> > >
> > >http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.um.htm
> > >
> > > File Not Found... 'l' missing from end of 'htm'.
> > >
> > >
> > http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.um.html
> >
> > this is correct. my organization has been infected with this
> > and it is a particular nasty little bugger. we may have been
> > 'patient 0' in terms of sending copies of the virus to symantec
> > so they could write signatures for it. infected hosts flood
> > the network with a tremendous amount of data and port opening.
> >
> > i at least manged to quarantine off all my vpn devices which
> > seemed to be the entry point.
> >
> > -r
> >
>
--
