Heads Up**W32.Sobig.F@mm - Page 2
Page 2 of 2 FirstFirst 12
Results 11 to 20 of 20

Thread: Heads Up**W32.Sobig.F@mm

  1. #11
    Senior Member
    Join Date
    Jul 2002
    Posts
    106
    I think we need to take the computers away from all of these STUPID users and give them an etch-a-sketch. there is even tech support for it here: http://www.shanemcdonald.com/laughs/l-etchascetch.html
    just making some minor adjustments to your system....

  2. #12
    Junior Member
    Join Date
    Nov 2002
    Posts
    3
    My IDS's went crazy with just one internal host, logged over 1000 alerts a min. The PC had over 100 connections open to port 25 on remote hosts...
    Nice way to bog down networks

  3. #13
    Senior Member Zonewalker's Avatar
    Join Date
    Jul 2002
    Posts
    949
    I have to admit this one seems to be way more effective at spreading than most other viri I've seen - I've been getting in the region of 150+ notifications just on my email at work today...

    when are people going to learn not to open attachments unless they have been cleaned first...
    probably when Hell freezes over er0k

    Z
    Quis Custodiet Ipsos Custodes

  4. #14
    Senior Member
    Join Date
    Jun 2003
    Posts
    723
    I wonder what it will be like by the time we hit sobigt? The planned self destruction of the last and release of the next variant seems to just keep on going and going. This one seems to be a big one, the openbsdmisc list is almost half virus removed warnings today.
    Do unto others as you would have them do unto you.
    The international ban against torturing prisoners of war does not necessarily apply to suspects detained in America\'s war on terror, Attorney General John Ashcroft told a Senate oversight committee
    -- true colors revealed, a brown shirt and jackboots

  5. #15
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    Is it me or are we in the middle of the heaviest period of virii releases.. ever? or more to the point wild spreaders.. never seen somany cat 3 and 4 alerts on the Symantec site..


    cheers..
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  6. #16
    Senior Member
    Join Date
    Oct 2001
    Posts
    748
    It looks like sobig has an as of yet unidentified payload coming up shortly...

    http://www.sophos.com/virusinfo/arti...obigextra.html

  7. #17
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744

    Post

    Hi Guy's,

    Found this tonight..on Tech-Critic

    The FBI subpoenaed an Arizona Internet service provider to trace the culprit behind a fast-spreading e-mail virus that security experts said may have first been posted to an adult pictures Internet site.
    One expert said the Sobig.F e-mail virus was disguised so that anyone who clicked on a link purporting to show a sexually graphic picture became infected with the self-replicating worm, which then spread itself to other e-mail addresses.

    "Sobig.F was first posted to a porn Usenet group," said Jimmy Kuo, research fellow at antivirus software maker Network Associates. Usenet is a popular forum on the Internet where computer users with similar interests post and read messages.
    Cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  8. #18
    Senior Member
    Join Date
    Aug 2003
    Posts
    119

    worm operation theory / question

    question for understanding purposes... i've put a great deal of thought into this as have many in our shop. We have the extensions as well as the subject lines blocked so we do not scare the customers... however every now and then a customer will get an email saying something to the effect of "an email you sent had an infected attachment xxx.pif (whatever the name would be) ... and it says to contact the system administrator"

    now according to symantecs info on the worm

    W32.Sobig.F@mm uses a technique known as "spoofing," by which the worm randomly selects an address it finds on an infected computer. The worm uses this address as the "From" address when it performs its mass-mailing routine. Numerous cases have been reported in which users of uninfected computers received complaints that they sent an infected message to another individual.

    taken from http://securityresponse.symantec.com...obig.f@mm.html

    the way i read that is if a user outside of our network had one of our customers in their address book, the worm could then take and use their address to send out to everyone the address book contains.

    i'm pretty sure that is correct.. now...

    when these emails get detected as an infected email, it sends it back to the "sender" which in this case would be one of our customers. So they get an email inside our network saying that an attachment they sent was infected. Of course they dont know who they sent it to, nor remember sending the email...

    Is this what is happening? Its the only thing that i can possibly think of to explain it. Help me out!

  9. #19
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    Originally posted here by thehorse13

    It's amazing how many people out there don't actively update their AV scanner.
    amazing isn't quite the word i would chose.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  10. #20
    Senior Member
    Join Date
    Oct 2001
    Posts
    748
    Is this what is happening? Its the only thing that i can possibly think of to explain it. Help me out!
    That is exactly what is happening. With this type of virus method becoming more common, first klez now SoBIG, it will only be a matter of time until the default setting for most AV software is not to send a message back to the "sender" of the virii. Or atleast most people will start turning it off.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides