North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: worm information

  • From: ravi pina
  • Date: Sat Apr 10 14:46:01 2004 
hmm, honestly i can't vouch for the data rate personally.
a co-worker said the counters on the VPN connections were
grossly disproportionate for a short time sample.

bottom line, it is indeed annoying.  i know my server
and desktop groups have been having a hell of a time
disinfecting hosts.  i know part of this was that
symantec, at the time, said it may be a polymorphic
strain.

-r


On Sat, Apr 10, 2004 at 11:37:15AM -0700, Christopher J. Wolff said at one point in time:
> Thank you for the input.  The 'unique' feature of this infestation is that
> affected hosts don't transmit a lot of data...however they do open up
> thousands of flows in a very short time.  Perhaps that's not unique but it
> certainly is annoying.
> 
> Regards,
> Christopher J. Wolff, VP CIO
> Broadband Laboratories, Inc.
> http://www.bblabs.com
> 
> > -----Original Message-----
> > From: [email protected] [mailto:[email protected]] On Behalf Of
> > ravi pina
> > Sent: Saturday, April 10, 2004 11:30 AM
> > To: Darrell Greenwood
> > Cc: 'nanog list'
> > Subject: Re: worm information
> > 
> > 
> > On Sat, Apr 10, 2004 at 11:19:19AM -0700, Darrell Greenwood said at one
> > point in time:
> > >
> > > On 04/4/10 at 1:53 PM -0400, Jeff Workman wrote the following :
> > >
> > >
> > >http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.um.htm
> > >
> > > File Not Found... 'l' missing from end of 'htm'.
> > >
> > >
> > http://securityresponse.symantec.com/avcenter/venc/data/w32.gaobot.um.html
> > 
> > this is correct.  my organization has been infected with this
> > and it is a particular nasty little bugger.  we may have been
> > 'patient 0' in terms of sending copies of the virus to symantec
> > so they could write signatures for it.  infected hosts flood
> > the network with a tremendous amount of data and port opening.
> > 
> > i at least manged to quarantine off all my vpn devices which
> > seemed to be the entry point.
> > 
> > -r
> > 
> 

--