nanog mailing list archives
Re: kornet.net abuse desk is mailing out W32.Nimda.E@mm worm
From: "Steven M. Bellovin" <smb () research att com>
Date: Tue, 30 Oct 2001 14:13:42 -0500
In message <195358945566.20011030133637 () conti nu>, Kai Schlichting writes:
If you or your staff have dealt with kornet.net (a Korean ISP belonging to Korean Telecom), and specifically abuse () kornet net in the past, beware: It seems that they've been overrun by the brand-spanking-new W32.Nimda.E@mm worm (**) sometimes late last night. Specific case in hand: yesterday at 9:40pm EST, I received a mail with a Subject: line of an UNRELATED abuse issue (hello MFNX/XO/ Above.net :) that contains a MIME attachment with an auto-playing "sound file" of sample.exe , openened in an <iframe> of your favorite Microsoft email client. Source IP of the mailing : 210.222.17.36 (/24).
Note, however, that the From: line on these Nimda variants is also forged; see http://securityresponse.symantec.com/avcenter/venc/data/w32.nimda.a () mm html for details. (I received several messages saying that some mail I sent was infected with Nimda.E. This struck me as quite improbable, since I use NetBSD for all my email and other real work.) --Steve Bellovin, http://www.research.att.com/~smb Full text of "Firewalls" book now at http://www.wilyhacker.com
Current thread:
- kornet.net abuse desk is mailing out W32.Nimda.E@mm worm Kai Schlichting (Oct 30)
- <Possible follow-ups>
- Re: kornet.net abuse desk is mailing out W32.Nimda.E@mm worm Steven M. Bellovin (Oct 30)