North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: kornet.net abuse desk is mailing out [email protected] worm

  • From: Steven M. Bellovin
  • Date: Tue Oct 30 14:16:33 2001

In message <[email protected]>, Kai Schlichting writes:
>
>If you or your staff have dealt with kornet.net (a Korean ISP belonging
>to Korean Telecom), and specifically [email protected] in the past, beware:
>It seems that they've been overrun by the brand-spanking-new [email protected]
>worm (**) sometimes late last night.
>
>Specific case in hand: yesterday at 9:40pm EST, I received a mail
>with a  Subject: line of an UNRELATED abuse issue (hello MFNX/XO/
>Above.net :) that contains a MIME attachment with an auto-playing
>"sound file" of sample.exe , openened in an <iframe> of your favorite
>Microsoft email client. Source IP of the mailing : 210.222.17.36 (/24).

Note, however, that the From: line on these Nimda variants is also 
forged; see http://securityresponse.symantec.com/avcenter/venc/data/[email protected]
for details.  (I received several messages saying that some mail I sent 
was infected with Nimda.E.  This struck me as quite improbable, since I 
use NetBSD for all my email and other real work.)

		--Steve Bellovin, http://www.research.att.com/~smb
		Full text of "Firewalls" book now at http://www.wilyhacker.com