[LINK] Current Virus Flurry
Roger Clarke
Roger.Clarke@xamax.com.au
Wed, 6 Nov 2002 10:58:50 +1100
Quick Notes on the traffic of the last 24 hours (bearing in mind that
I'm an amateur at such things, and have only spent a few minutes on
it):
During 5-6 November, pakddemail@arbor.ee.ntu.edu.tw appeared to be
generating lots of mail from various ill-conceived virus-reporting
packages. That of course resulted in lots of ill-advised,
human-generated requests and complaints (including one which appeared
to be from the Dean of the computing Faculty of a major Australian
university).
A DNS lookup resolves the address as 140.112.17.57. A traceroute
produces information consistent with the proposition that it's a real
account on a real mail-server, that is in Elec Eng at the National
Taiwan Uni.
Finger doesn't appear to be enabled.
http://www.ee.ntu.edu.tw/2002/professor_e.html shows no pak, either
dd or otherwise; ditto staff-e.html and alumni-e.html. The Students
section partly malfunctions, and partly requires a loginid and
password. None of the staff had addresses @arbor (most are @cc). So
the most likely interpretation is that, if it exists, it's probably a
student account.
The cause appears to have been a new variant of a virus. It was
catalogued by virus-watchers as early as November 4, 2002 01:11:28
PM PST:
http://www.symantec.com/avcenter/venc/data/w32.brid.a@mm.html
--
Roger Clarke http://www.anu.edu.au/people/Roger.Clarke/
Xamax Consultancy Pty Ltd, 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 1472, and 6288 6916
mailto:Roger.Clarke@xamax.com.au http://www.xamax.com.au/
Visiting Professor, Uni of Hong Kong, Dept of Comp Sci and Info Sys
Visiting Fellow, Australian National University, Dept of Comp Sci