dealing with w32/bagle

• Previous message (by thread): The attachment mess, was w32/bagle
• Next message (by thread): dealing with w32/bagle
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

We created bogus DNS entries for the following entries, known to be 
targeted by the worm:
www.sportscheck.de
www.songtext.net
www.songtext.de
www.maiklibis.de
www.gfotxt.net
postertog.de
permail.uni-muenster.de

The entries directed traffic to an interface on a router that can handle 
the traffic.  Currently, we have a logging ACL that drops port 80 to the 
bogus IP.  We might connect a sniffer with that IP address at some point 
with triggers loaded to notify when systems attempt to access the address. 
 So far this has helped.

Any other suggestions are welcome.

Brent




Dan Hollis <goemon at anime.net>
Sent by: owner-nanog at merit.edu
03/03/2004 03:24 PM

 
        To:     "'nanog at merit.edu'" <nanog at merit.edu>
        cc: 
        Subject:        dealing with w32/bagle



I am curious how network operators are dealing with the latest w32/bagle 
variants which seem particularly evil.

Also, does anyone have tools for regexp and purging these mails from unix 
mailbox (not maildir) mailspool files? Eg purging these mails after the 
fact if they were delivered to user's mailboxes before your virus scanner 
got a database update.

-Dan



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20040303/85570220/attachment.html>

• Previous message (by thread): The attachment mess, was w32/bagle
• Next message (by thread): dealing with w32/bagle
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]