nanog mailing list archives

RE: dealing with w32/bagle

From: Mike Damm <MikeD () irwinresearch com>
Date: Wed, 3 Mar 2004 14:55:52 -0800

We created bogus DNS entries for the following entries, known to be

targeted by the worm:

www.sportscheck.de 
www.songtext.net 
www.songtext.de 
www.maiklibis.de 
www.gfotxt.net 
postertog.de 
permail.uni-muenster.de


For what its worth ns{1,2,3,4}.everydns.net will answer for the wormy
domains with 127.0.0.1 to help mitigate phone-home traffic.

I just registered gfotxt.net (some appear to be registered while others are
not) with the proper name servers and it should be visible worldwide along
the normal timeline. Parties with control over the other mentioned domains
or end user resolution are more than welcome to point them our way.

We'll be generating some statistical data on DNS traffic and summarizing for
anyone interested.

  -Mike

Current thread:

Re: dealing with w32/bagle, (continued)
- - - Re: dealing with w32/bagle Stephen Milton (Mar 04)
    - Re: dealing with w32/bagle Curtis Maurand (Mar 04)
    - Message not available
    - Re: dealing with w32/bagle JC Dill (Mar 05)
    - Re: dealing with w32/bagle Jeff Shultz (Mar 05)
    - The attachment mess, was w32/bagle David Lesher (Mar 05)
- Re: dealing with w32/bagle Scott Call (Mar 03)
- Re: dealing with w32/bagle Adam Kujawski (Mar 03)
- Re: dealing with w32/bagle Suresh Ramasubramanian (Mar 03)
- Re: dealing with w32/bagle W.D.McKinney (Mar 03)
- Re: dealing with w32/bagle Brent_OKeeffe (Mar 03)
- RE: dealing with w32/bagle Mike Damm (Mar 03)
- Re: dealing with w32/bagle Dr. Jeffrey Race (Mar 04)