|
-
August 19th, 2003, 12:41 PM
#1
 Heads Up**W32.Sobig.F@mm
Hi Guys..
W32.Sobig.F@mm
This is currently a Cat 2 on Symantec (at 11:40UTC)
No full info.. check for the latest info On Symantec
From Sophos the following ..
W32/Sobig-F is a worm that spreads via email and network shares.
W32/Sobig-F copies itself to the Windows folder as winppr32.exe and sets one of the following registry entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TrayX
= <Windows folder>\winppr32.exe /sinc
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\TrayX
= <Windows folder<\winppr32.exe /sinc
The worm sends itself as an attachment to email addresses collected from various files on the victim's computer.
Cheers..
PAnda Software; gives this one a Amber Status - News here status at 13:22UTC
"Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr
-
August 19th, 2003, 06:30 PM
#2
Senior Member
thanks for the info
As always thanks for the heads up. Getting spammed like crazy by this thing. As usual log onto Anti Online to find out whats up. Blocking .pif's works well, but still getting the annoying messages to come through after they are stripped.
Thanks!
-
August 19th, 2003, 08:26 PM
#3
Re: thanks for the info
Originally posted here by thadbme
As always thanks for the heads up. Getting spammed like crazy by this thing. As usual log onto Anti Online to find out whats up. Blocking .pif's works well, but still getting the annoying messages to come through after they are stripped.
Thanks!
Yea, same here - I've been watching the damn notifications all day long as this thing keeps knocking at my doors, trying to get in. I'm glad it's being blocked and I'm a little surprised that my network is receiving this much infected mail - at least with the same damn infection...
-
August 20th, 2003, 01:18 PM
#4
Senior Member
Question. Right now the relays are setup to strip all .pif extensions, and all .scr extensions, which keeps the virus from getting through, however the message still gets to the customer. So what I've done is block all of the subject headers that this virus uses.
Details
My details
Your details
Your application
Thank you!
Wicked screensaver
That movie
Now i have this setup to block all occurances of this using *'s. Think about those subject lines just for a second and you'll see the problem. Valid emails could be blocked, if it comes with this subject header. And since this bug spoofs the senders email address is there any other way to block it? If someone sends a valid email with those subjects they wont even know that it didnt make it through because the message is dropped.
Ideas??
-
August 20th, 2003, 05:36 PM
#5
Damn, this one is going crazy!
I've recieved 190+ of these on one single address! I've setup an auto reply to those emails using the subject as a filter. I replied informing them they have been infected and with a link to instructions on how to remove it from their system.
Hopefully people start updating their defs soon... I'm tired of these things already!
-
August 20th, 2003, 05:55 PM
#6
We've got a few guys that work here that, because of the nature of the business they are involved with, their email addresses are all over the public - those guys are getting absolutely slammed with this thing, but like I stated earlier, I've got the trusty firewall blocking it all, so no harm done....
-
August 20th, 2003, 06:10 PM
#7
Senior Member
3200+ and counting, how are you blocking these through the firewall? is it a local firewall or for the network? I'm curious, these are coming from who knows where because of the spoofed sender, frankly i'd rather live without all of the notifications. I think we've got the idea after the first 2000. Its mainly just an annoyance, but i've got a feeling this might be one of those that we'll have to live with for awile, according to Symantec it will stop on the 10th of September, atleast i'm hoping so!
-
August 20th, 2003, 06:18 PM
#8
Our mail servers have gotten 12,342 messages of all varients of the subject line. We are filtering the messages at the server level (both payload and subject line filters) via Exchange's management tool so the individual's mail store never gets the delivery. Needless to say, we're stripping out the virus with our enterprise AV solution long before it gets to the mail store.
It's amazing how many people out there don't actively update their AV scanner.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
August 20th, 2003, 06:37 PM
#9
Senior Member
i'm using subject line filters to block them not payload, the individual never gets the mail message, however we receive notification of a violation and a drop message, i'm trying to figure out how to block this critter from ever touching our mail relays, i could always turn off logging due to the volume but if something else tries to make it through i'd like to be aware of it. Sounds like your getting hit pretty hard as well, are you getting the loads of notifications.
I guess my question is am i just going to have to live with this, or is there some clever and devious way that i could put a stop to it. via, figuring out who these are coming from (assuming its not from 100's of users, to possibly notify them of problem as mentioned earlier) Or just to get the message to stone cold turn it away, like it never saw it, to avoid getting 3000 more messages by this time tomorrow.
-
August 20th, 2003, 06:58 PM
#10
when are people going to learn not to open attachments unless they have been cleaned first...
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
