Is This a Virus?

Thu Aug 3 22:45:20 UTC 2000

Noticed unusually high volume on our DNS server the other day, and
investigated 
further. One of our customers appeared to have a virus similar to the 
<network.vbs> worm. This worm only uses 2 octets starting at 0.1, whereas the 
<network.vbs> virus has a specific starting address. It also uses the full 
domain name first, and then <.com>, whereas <network.vbs> just uses the IP 
address and then adds the domain name. Search by the customer of his machine 
did not locate any unusual vbs files.

Has anyone seen or heard of such a virus. I have not been able to locate 
anything like it on the common anti-virus sites. A single machine acting like 
this is relatively harmless, but several acting together an bring down a DNS.

J.A. Coutts
Systems Engineer
Edsonet/TravPro
-------------------------------------------
12:10:07   Request from 207.34.82.38 for A-record for .0.1.yellowhead.com.
12:10:08   Request from 207.34.82.38 for A-record for .0.1.yellowhead.com.
12:10:10   Request from 207.34.82.38 for A-record for .0.1.yellowhead.com.
12:10:13   Request from 207.34.82.38 for A-record for .0.1.com.
12:10:15   Request from 207.34.82.38 for A-record for .0.1.com.
12:10:16   Request from 207.34.82.38 for A-record for .0.1.com.
12:10:21   Request from 207.34.82.38 for A-record for .0.2.yellowhead.com.
12:10:23   Request from 207.34.82.38 for A-record for .0.2.yellowhead.com.
12:10:24   Request from 207.34.82.38 for A-record for .0.2.yellowhead.com.
12:10:27   Request from 207.34.82.38 for A-record for .0.2.com.
12:10:29   Request from 207.34.82.38 for A-record for .0.2.com.
12:10:30   Request from 207.34.82.38 for A-record for .0.2.com.
12:10:39   Request from 207.34.82.38 for A-record for .0.3.yellowhead.com.
12:10:40   Request from 207.34.82.38 for A-record for .0.3.yellowhead.com.
12:10:42   Request from 207.34.82.38 for A-record for .0.3.yellowhead.com.
12:10:45   Request from 207.34.82.38 for A-record for .0.3.com.
12:10:46   Request from 207.34.82.38 for A-record for .0.3.com.
12:10:48   Request from 207.34.82.38 for A-record for .0.3.com.
12:10:53   Request from 207.34.82.38 for A-record for .0.4.yellowhead.com.
12:10:55   Request from 207.34.82.38 for A-record for .0.4.yellowhead.com.
12:10:56   Request from 207.34.82.38 for A-record for .0.4.yellowhead.com.
12:10:59   Request from 207.34.82.38 for A-record for .0.4.com.
12:11:01   Request from 207.34.82.38 for A-record for .0.4.com.
12:11:02   Request from 207.34.82.38 for A-record for .0.4.com.
12:11:11   Request from 207.34.82.38 for A-record for .0.5.yellowhead.com.
12:11:12   Request from 207.34.82.38 for A-record for .0.5.yellowhead.com.
12:11:14   Request from 207.34.82.38 for A-record for .0.5.yellowhead.com.
12:11:17   Request from 207.34.82.38 for A-record for .0.5.com.
12:11:18   Request from 207.34.82.38 for A-record for .0.5.com.
12:11:20   Request from 207.34.82.38 for A-record for .0.5.com.
12:11:25   Request from 207.34.82.38 for A-record for .0.6.yellowhead.com.
12:11:27   Request from 207.34.82.38 for A-record for .0.6.yellowhead.com.
12:11:28   Request from 207.34.82.38 for A-record for .0.6.yellowhead.com.
12:11:31   Request from 207.34.82.38 for A-record for .0.6.com.
12:11:33   Request from 207.34.82.38 for A-record for .0.6.com.
12:11:34   Request from 207.34.82.38 for A-record for .0.6.com.
12:11:39   Request from 207.34.82.38 for A-record for .0.7.yellowhead.com.
12:11:41   Request from 207.34.82.38 for A-record for .0.7.yellowhead.com.
12:11:42   Request from 207.34.82.38 for A-record for .0.7.yellowhead.com.
12:11:45   Request from 207.34.82.38 for A-record for .0.7.com.
12:11:47   Request from 207.34.82.38 for A-record for .0.7.com.
12:11:48   Request from 207.34.82.38 for A-record for .0.7.com.
.........and on and on and on........