Update to the virus report below
Looks like the virus below is an old version of Bagle, specifically W32/Bagle.j@MM or W32/Bagle.n@MM which appeared in March of 2004. We are still trying to validate the binary attachment is the same. If anyone has an e-mail attachment that is not detected by existing anti-virus signatures, please send them to us.
Another Virus (update to the original diary)
We just got a report about a new virus spreading. Like other viruses in the past,
it claims to come from the users ISP. Pretty well done, so you may want to try and filter it, or at least reminder your users not to click.
Sample (the 'ISP.NET' parts will be replaced with the recipients domain name):
(if you can, just block e-mail from 'administrator@yourdomain' at your external email gateway. Typically, if you use such an account, your gateway will not receive email from the outside with that that 'From' address)
From: administration@ISP.NET [mailto:administration@ISP.NET]
Sent: Wednesday, December 29, 2004 10:28 PM
Subject: E-mail account disabling warning.
Hello user of ISP.NET e-mail server,
Our main mailing server will be temporary unavaible for next two days,
to continue receiving mail in these days you have to configure our free
For details see the attach.
Have a good day,
The ISP.NET team http://www.ISP.NET
(spelling of the e-mail is left in its original state. We don't have the attached binary right now. If you have it, send it to us via our contact page http://isc.sans.org/contact.php .
ISC Poll Results
We asked you what the most overrated security topics are and you answered. The top three results were:
Correct Spelling (18%) - Johannes can no longer be faulted for typo's :)
I certainly agree with cyberterrorism being overrated (though I'd say more overhyped), but phishing in my opinion is still an underrated threat. At least in the US it is, as the few times I dug into some of these phishing scams there was not a small amount of compromised accounts involved. I am surprised by the fact that there hasn't been large scale exploitation, however.
Port 1433 scans
The UNISOG list has had reports of an increase in TCP port 1433 scanning. We haven't seen it, but if you have and have packet captures, please send them along for us to analyze.
ISC Reader's Diary
We are planning a diary for the first week of the New Year that is exclusively a "Reader's Diary". This will be a diary of inputs from you, our readers, to the rest of the world. We are looking for inputs that pertain to ISC, the Internet, New Year Predictions, suggestions, 'thank you' notes, almost anything (within reason). We will try to get all of the inputs posted, and they will be available for reading on January 2nd/3rd. Please include your name and valid email address. Names will be posted, however email addresses will be kept private.
Please submit entries to firstname.lastname@example.org by Jan. 2nd 1200hrs GMT to be added to the diary.
Dec 30th 2004
1 decade ago