Huge activity with the Novarg worm. Details at www.sarc.com/avcenter/venc/data/w32.novarg.a(a)mm.html The most amazing quantity of traffic is the Xtra bounce messages, which are just plain stupid as the virus is propogating using other peoples email addresses from the infected machines records. If anyone from Xtra is listening, can you turn off the auto responder? Keith Davidson

yeh, definately noticing a huge increase in this kind of activity.

Regards Dan

----- Original Message ----- From: "Juha Saarinen" To: "NZ NOG" Sent: Tuesday, January 27, 2004 1:33 PM Subject: [nznog] Recent worm infestations

...

For those who haven't noticed the flood of emailed viruses and bounces caused by the dictionary attack the new Windows worm(s) create(s), read and weep:

http://www.kaspersky.com/news.html?id=3614506

http://www.datafellows.com/v-descs/novarg.shtml

Plus the usual AV sites.

Looks like it's running amok in NZ.

-- Juha _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Dan Clark wrote:

yeh I've noticed more autoresponder notes than the actual virus :P

Not after Europe woke up and the worms started rolling in. Interestingly enough, the worm HELOs as NZ ISPs in many cases. A local VXer, perhaps? -- Juha

here here I think the autoresponders are just as bad as the virus itself, especially if multiple party's are notified with every virus ie: Administrator, Recipient and Sender! Cheers Dan ----- Original Message ----- From: "Simon Byrnand" To: "Dan Clark" ; "Keith Davidson" ; Sent: Thursday, January 29, 2004 12:34 PM Subject: Re: [nznog] Recent worm infestations

At 14:26 27/01/2004, Dan Clark wrote:

...

yeh I've noticed more autoresponder notes than the actual virus :P

Great little rant (with technical details) here about the whole issue of virus scanners replying to the "sender" of viruses, and anybody running an email virus scanner ought to read this...

http://www.attrition.org/security/rant/av-spammers.html

Regards, Simon

On Thursday, January 29, 2004 5:22 PM NZT, Keith Davidson wrote:

It causes more and more work for other ISP's, as worried users make contact thinking they have the virus etc etc.

Virus autoresponders are proving more harmful than useful, and I guess it wont be long till some start to report them as spam.

Agreed. Heck, even the 'experts' agree: http://news.com.com/2100-7355_3-5148995.html?tag=nefd_top -Simon

Apropos nothing in particular, I observed this this evening: $ ls -l virus.patterns* -rw-rw-r-- 1 root root 3189550 Jan 27 22:10 virus.patterns -rw-rw-r-- 1 root root 3135960 Jan 20 09:10 virus.patterns.old $ wc -l virus.patterns.old 20595 virus.patterns.old $ wc -l virus.patterns 20942 virus.patterns by my reckoning, the folks at ClamAV have added 347 new virii patterns in a bit over a week. God only knows how many the people who are *paid* to write virus patterns are churning out... Cheers Si On Tue, Jan 27, 2004 at 03:16:45PM +1300, Brian Gibbons said:

...

From: "Keith Davidson"

...

Huge activity with the Novarg worm. Details at www.sarc.com/avcenter/venc/data/w32.novarg.a(a)mm.html

You're not kidding, that virus is breaking all records here.

Started about 10:50am, exponential growth since then (like a thousand an hour now and growing).

It seems Xtra's virus defence kicked in somewhere between 11:30 - 12:00 so maybe it will taper off.

Cheers

BG

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog