<br><font size=2 face="sans-serif">We created bogus DNS entries for the following entries, known to be targeted by the worm:</font>
<br><font size=2 face="sans-serif">www.sportscheck.de</font>
<br><font size=2 face="sans-serif">www.songtext.net</font>
<br><font size=2 face="sans-serif">www.songtext.de</font>
<br><font size=2 face="sans-serif">www.maiklibis.de</font>
<br><font size=2 face="sans-serif">www.gfotxt.net</font>
<br><font size=2 face="sans-serif">postertog.de</font>
<br><font size=2 face="sans-serif">permail.uni-muenster.de</font>
<br>
<br><font size=2 face="sans-serif">The entries directed traffic to an interface on a router that can handle the traffic. Currently, we have a logging ACL that drops port 80 to the bogus IP. We might connect a sniffer with that IP address at some point with triggers loaded to notify when systems attempt to access the address. So far this has helped.</font>
<br>
<br><font size=2 face="sans-serif">Any other suggestions are welcome.</font>
<br>
<br><font size=2 face="sans-serif">Brent</font>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td>
<td><font size=1 face="sans-serif"><b>Dan Hollis <goemon@anime.net></b></font>
<br><font size=1 face="sans-serif">Sent by: owner-nanog@merit.edu</font>
<p><font size=1 face="sans-serif">03/03/2004 03:24 PM</font>
<br>
<td><font size=1 face="Arial"> </font>
<br><font size=1 face="sans-serif"> To: "'nanog@merit.edu'" <nanog@merit.edu></font>
<br><font size=1 face="sans-serif"> cc: </font>
<br><font size=1 face="sans-serif"> Subject: dealing with w32/bagle</font></table>
<br>
<br>
<br><font size=2 face="Courier New"><br>
I am curious how network operators are dealing with the latest w32/bagle <br>
variants which seem particularly evil.<br>
<br>
Also, does anyone have tools for regexp and purging these mails from unix <br>
mailbox (not maildir) mailspool files? Eg purging these mails after the <br>
fact if they were delivered to user's mailboxes before your virus scanner <br>
got a database update.<br>
<br>
-Dan<br>
<br>
</font>
<br>
<br>