Heads Up**W32.Sobig.F@mm
Page 1 of 2 12 LastLast
Results 1 to 10 of 20

Thread: Heads Up**W32.Sobig.F@mm

  1. #1
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744

    Exclamation Heads Up**W32.Sobig.F@mm

    Hi Guys..

    W32.Sobig.F@mm

    This is currently a Cat 2 on Symantec (at 11:40UTC)

    No full info.. check for the latest info On Symantec

    From Sophos the following ..

    W32/Sobig-F is a worm that spreads via email and network shares.

    W32/Sobig-F copies itself to the Windows folder as winppr32.exe and sets one of the following registry entries:

    HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TrayX
    = <Windows folder>\winppr32.exe /sinc

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\TrayX
    = <Windows folder<\winppr32.exe /sinc

    The worm sends itself as an attachment to email addresses collected from various files on the victim's computer.
    Cheers..

    PAnda Software; gives this one a Amber Status - News here status at 13:22UTC
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  2. #2
    Senior Member
    Join Date
    Aug 2003
    Posts
    119

    thanks for the info

    As always thanks for the heads up. Getting spammed like crazy by this thing. As usual log onto Anti Online to find out whats up. Blocking .pif's works well, but still getting the annoying messages to come through after they are stripped.

    Thanks!

  3. #3
    Top Gun Maverick811's Avatar
    Join Date
    Oct 2001
    Posts
    852

    Re: thanks for the info

    Originally posted here by thadbme
    As always thanks for the heads up. Getting spammed like crazy by this thing. As usual log onto Anti Online to find out whats up. Blocking .pif's works well, but still getting the annoying messages to come through after they are stripped.

    Thanks!
    Yea, same here - I've been watching the damn notifications all day long as this thing keeps knocking at my doors, trying to get in. I'm glad it's being blocked and I'm a little surprised that my network is receiving this much infected mail - at least with the same damn infection...

  4. #4
    Senior Member
    Join Date
    Aug 2003
    Posts
    119
    Question. Right now the relays are setup to strip all .pif extensions, and all .scr extensions, which keeps the virus from getting through, however the message still gets to the customer. So what I've done is block all of the subject headers that this virus uses.

    Details
    My details
    Your details
    Your application
    Thank you!
    Wicked screensaver
    That movie


    Now i have this setup to block all occurances of this using *'s. Think about those subject lines just for a second and you'll see the problem. Valid emails could be blocked, if it comes with this subject header. And since this bug spoofs the senders email address is there any other way to block it? If someone sends a valid email with those subjects they wont even know that it didnt make it through because the message is dropped.

    Ideas??

  5. #5
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,324
    Damn, this one is going crazy!

    I've recieved 190+ of these on one single address! I've setup an auto reply to those emails using the subject as a filter. I replied informing them they have been infected and with a link to instructions on how to remove it from their system.

    Hopefully people start updating their defs soon... I'm tired of these things already!

  6. #6
    Top Gun Maverick811's Avatar
    Join Date
    Oct 2001
    Posts
    852
    We've got a few guys that work here that, because of the nature of the business they are involved with, their email addresses are all over the public - those guys are getting absolutely slammed with this thing, but like I stated earlier, I've got the trusty firewall blocking it all, so no harm done....
    - Maverick

  7. #7
    Senior Member
    Join Date
    Aug 2003
    Posts
    119
    3200+ and counting, how are you blocking these through the firewall? is it a local firewall or for the network? I'm curious, these are coming from who knows where because of the spoofed sender, frankly i'd rather live without all of the notifications. I think we've got the idea after the first 2000. Its mainly just an annoyance, but i've got a feeling this might be one of those that we'll have to live with for awile, according to Symantec it will stop on the 10th of September, atleast i'm hoping so!

  8. #8
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Our mail servers have gotten 12,342 messages of all varients of the subject line. We are filtering the messages at the server level (both payload and subject line filters) via Exchange's management tool so the individual's mail store never gets the delivery. Needless to say, we're stripping out the virus with our enterprise AV solution long before it gets to the mail store.

    It's amazing how many people out there don't actively update their AV scanner.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  9. #9
    Senior Member
    Join Date
    Aug 2003
    Posts
    119
    i'm using subject line filters to block them not payload, the individual never gets the mail message, however we receive notification of a violation and a drop message, i'm trying to figure out how to block this critter from ever touching our mail relays, i could always turn off logging due to the volume but if something else tries to make it through i'd like to be aware of it. Sounds like your getting hit pretty hard as well, are you getting the loads of notifications.

    I guess my question is am i just going to have to live with this, or is there some clever and devious way that i could put a stop to it. via, figuring out who these are coming from (assuming its not from 100's of users, to possibly notify them of problem as mentioned earlier) Or just to get the message to stone cold turn it away, like it never saw it, to avoid getting 3000 more messages by this time tomorrow.

  10. #10
    er0k
    Guest
    when are people going to learn not to open attachments unless they have been cleaned first...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides