If they have any sort of actual security at the perimeter, somebody with authority to stop this should have been aware of this server long ago. This could indicate bigger problems with their configuration that need correction, in addition to a cleanup of whatever other servers that don't support their business but are out on their network. Wonder if we'll hear much else about it.
Like I wrote previous, in my experience, with some networks responsible for similar behaviors as here, I actually contact them and send copies of the site stats that evidence one of their IPAs and it's remarkable how few even respond...some do, the better administrated ones, but more don't.
For example, I found an IPA from the Georgia Board of Regents (probably a state library, maybe a school or admin. office, who knows) that was guilty of this and contacted them and they responded, very nicely, that they'd taken the offending terminal down and were repairing; also same from the University of Florida, Deleware state .gov system, places like that that I actually took time to correspond with about their problem, BUT, what's surprising is how many didn't even respond (Cal State Chico didn't, a major university in Canada didn't, etc.).
This zombie behavior is far more prevalent than this article lets on. Doesn't make it right because, in fact, I loathe it and agree that whoever writes malware ought to be in jail for a long time. Unfortunately, spammers even sell malware on the internet calling it "advertising" and "marketing" software but it works on the same principle: infecting any available computer and then using it to infect others, all for access to information and to avoid paying their own way. At least, I guess. I think most of it is done to be destructive, nothing smart or cute about it.
I believe that the article said that the server was actually outside their firewall. Thereby, completely open to attack. I'm thinking that this isn't a Netware server, but a Linux server, and obviously, one that wasn't secured at all.
Mark