W32/Sober@MM!M681 - Page 2
Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 22

Thread: W32/Sober@MM!M681

  1. #11
    Banned
    Join Date
    Apr 2003
    Posts
    1,147
    Another setting that may help is to turn off the "reply to sender" option for infected mail in your AV gateway scanner. That option just adds a lot of overhead to the system that you just don't need at times like this.

    Since the source address is likely spoofed anyway, it just generates a bounce and more overhead. Best to just trash 'em.


  2. #12
    The ******* Shadow dalek's Avatar
    Join Date
    Sep 2005
    Posts
    1,564
    Trend has a very useful help library.


    Cleaning compressed mail attachments
    Cleaning compressed files attached to an email message involves decompressing the compressed file, cleaning the contents, and then recompressing the file. For example, if there are five files, A.doc, B.doc, C.doc, D.doc, and E.doc: C.doc is infected with a macro virus, and they are all packed into a single compressed file called docs.zip: [docs.zip(A.doc, B.doc, C.doc, D.doc, E.doc)]. You can set Trend Micro PC-cillin Internet Security to detect the virus in C.doc, issue an alert, and write the event to the Virus log.

    If you have selected the Clean viruses in compressed files check box, because C.doc is in the first layer, Trend Micro PC-cillin Internet Security will automatically execute the Clean action when Internet Security detects a virus up to the second layer.

    Important: PC-cillin Internet Security is able to carry out this Clean scan action only if the infected file is contained in the first layer [docs (A.doc, B.doc, C.doc, D.doc, E.doc)] of the compressed file.

    However, suppose C.doc was located in a deeper layer of compression, for example, (docs +2.zip{docs+1.zip[docs.zip(A.doc, B.doc, C.doc, D.doc, E.doc)]}). Although PC-cillin Internet Security could detect the virus, it is unable to perform any scan action. Therefore, if you want to clean C.doc, use WinZip, or another compression program to decompress the compressed file. When the individual files have been decompressed, right-click C.doc and click Trend Micro PC-cillin Internet Security. Trend Micro PC-cillin Internet Security will perform the scan action you have specified.

    To clean a compressed mail attachment:

    On the PC-cillin Internet Security main window, click Email > Mail Scan (or Webmail Scan).

    Under Scan actions, make sure Clean is selected from the Action when virus found list, and then select the Clean viruses in compressed files check box.

    Click Apply.
    PC Registered user # 2,336,789,457...

    "When the water reaches the upper level, follow the rats."
    Claude Swanson

  3. #13
    Member
    Join Date
    Aug 2004
    Posts
    95
    As HTRegz said, its safe but incoveniance.
    I have enabled the quarentine option and trying to check the logs for genuine mails being blocked.
    Working closley with Trend to block this.

    Thank you all.

  4. #14
    Member
    Join Date
    Aug 2002
    Location
    San Antonio, Texas
    Posts
    49
    I also got like 5 viruses today attached to bogus emails with the same virus and one of them looked almost legit except the text file was in a zip so I got suspicous and scanned it first. Turned out to be the same virus. I thought someone intentionally was trying to screw up my computer but I'm glad I'm not the only one.
    \"They have the internet on computers now?\"

  5. #15
    They call me the Hunted foxyloxley's Avatar
    Join Date
    Nov 2003
    Location
    3rd Rock from Sun
    Posts
    2,528
    I just got hit too
    thought I was on the ignore list for a while

    From : office@parkwoodprojects.co.uk
    To : emailserv@virgin.net
    Subject : Your Password
    Attachments : Your Password ( 663 bytes)(2KB)

    - message-

    This message had an attachment which were found to contain the following virus(es):

    File 'reg_pass-data.zip' was infected with virus 'W32.Sober.X@mm!zip' (ID 4815)

    The infected file(s) were cleaned or removed from the attachment
    details -
    Return-Path: <office@parkwoodprojects.co.uk>
    Received: from n076.sc1.cp.net (64.97.168.32) by n071.sc1.cp.net (7.2.066)
    id 43474C2A00852D9E for xxx.xxx@xxx.xxx; Thu, 24 Nov 2005 08:11:52 +0000
    Received: from alfjvshi.uk (62.45.96.249) by n076.sc1.cp.net (7.2.069.1) id 4381FB10001BA6AF; Thu, 24 Nov 2005 08:11:51 +0000
    From: office@parkwoodprojects.co.uk
    To: emailserv@virgin.net
    Date: Thu, 24 Nov 2005 08:06:12 UTC
    Subject: Your Password
    Importance: Normal
    X-Priority: 3 (Normal)
    Message-ID: <a9bcaacbba0f.9087b58@parkwoodprojects.co.uk>
    This is a multi-part message in MIME format.
    X-Antivirus: AVG for E-mail 7.1.362 [267.13.5/178]
    Mime-Version: 1.0
    Content-Type: multipart/mixed; boundary="========/4381FB10001BA6B0/n076.sc1.cp.net"
    Content-Disposition: inline
    Now I'm no expert on this sort of thing, but is this the typical style of mail ?
    Has the senders address been spoofed ?
    Or are they 'owned' ?
    would you consider sending the sender [office@parkwoodprojects.co.uk] a mail to let them know what is being done in their name ?

    Or do we just delete and get on with life ?
    55 - I'm fiftyfeckinfive and STILL no wiser,
    OLDER yes
    Beware of Geeks bearing GIF's
    come and waste the day :P at The Taz Zone

  6. #16
    Originally posted here by foxyloxley

    Now I'm no expert on this sort of thing, but is this the typical style of mail ?
    Has the senders address been spoofed ?
    Or are they 'owned' ?
    would you consider sending the sender [office@parkwoodprojects.co.uk] a mail to let them know what is being done in their name ?

    Or do we just delete and get on with life ?
    That's just a bounce message. The From: address is spoofed but it's quite likely the email is being sent in YOUR name. These messages are sometimes called "backscatter" and frankly they're not helpful.

    The only way to determine the true origin of a virus infected email is to trace back the IP addy in the mail headers.

  7. #17
    They call me the Hunted foxyloxley's Avatar
    Join Date
    Nov 2003
    Location
    3rd Rock from Sun
    Posts
    2,528
    The From: address is spoofed but it's quite likely the email is being sent in YOUR name. These messages are sometimes called "backscatter"
    So right no there could be mails in MY name doing the rounds ?
    and do you have any details on this 'backscatter' ?
    55 - I'm fiftyfeckinfive and STILL no wiser,
    OLDER yes
    Beware of Geeks bearing GIF's
    come and waste the day :P at The Taz Zone

  8. #18
    Well, a typically mass-mailer worm selects a random address on the infected PC to send "from:" and another random one to send "to:". That's absolutely normal and to be expected.

    Backscatter happens when (for example) an organisation gets 10,000 infected emails and then helpfully decides to tell the alleged sender that they sent an infected message - so it generates 10,000 bounce messages which it sends to wholly innocent (and uninfected) parties.

    There's really no point configuring your software to tell the "sender" the message was infected, because the sender didn't actually send it. All it does do is create a great deal of confusion.

  9. #19
    They call me the Hunted foxyloxley's Avatar
    Join Date
    Nov 2003
    Location
    3rd Rock from Sun
    Posts
    2,528
    deleted : now getting on with life
    55 - I'm fiftyfeckinfive and STILL no wiser,
    OLDER yes
    Beware of Geeks bearing GIF's
    come and waste the day :P at The Taz Zone

  10. #20
    They call me the Hunted foxyloxley's Avatar
    Join Date
    Nov 2003
    Location
    3rd Rock from Sun
    Posts
    2,528
    Sorry for the double post, but bumping thread .......

    I've now had SEVEN mails from various oranisations, inc CIA
    all contain the same virus [all stripped out by AVG]
    is everyone else having a busy day too ???

    [edit]
    they are TILL coming

    FBI
    Kabul postmaster [WTF]

    this is getting ridiculous
    55 - I'm fiftyfeckinfive and STILL no wiser,
    OLDER yes
    Beware of Geeks bearing GIF's
    come and waste the day :P at The Taz Zone

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •