Heads Up**W32.Sobig.F@mm

Printable View

August 19th, 2003, 12:41 PM
Und3ertak3r

Heads Up**W32.Sobig.F@mm

Hi Guys..

W32.Sobig.F@mm

This is currently a Cat 2 on Symantec (at 11:40UTC)

No full info.. check for the latest info On Symantec

From Sophos the following ..

Quote:

W32/Sobig-F is a worm that spreads via email and network shares.

W32/Sobig-F copies itself to the Windows folder as winppr32.exe and sets one of the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TrayX
= <Windows folder>\winppr32.exe /sinc

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\TrayX
= <Windows folder<\winppr32.exe /sinc

The worm sends itself as an attachment to email addresses collected from various files on the victim's computer.

Cheers..

PAnda Software; gives this one a Amber Status - News here status at 13:22UTC
August 19th, 2003, 06:30 PM
thadbme

thanks for the info

As always thanks for the heads up. Getting spammed like crazy by this thing. As usual log onto Anti Online to find out whats up. Blocking .pif's works well, but still getting the annoying messages to come through after they are stripped.

Thanks!
August 19th, 2003, 08:26 PM
Maverick811

Re: thanks for the info

Quote:

Originally posted here by thadbme
As always thanks for the heads up. Getting spammed like crazy by this thing. As usual log onto Anti Online to find out whats up. Blocking .pif's works well, but still getting the annoying messages to come through after they are stripped.

Thanks!

Yea, same here - I've been watching the damn notifications all day long as this thing keeps knocking at my doors, trying to get in. I'm glad it's being blocked and I'm a little surprised that my network is receiving this much infected mail - at least with the same damn infection...
August 20th, 2003, 01:18 PM
thadbme

Question. Right now the relays are setup to strip all .pif extensions, and all .scr extensions, which keeps the virus from getting through, however the message still gets to the customer. So what I've done is block all of the subject headers that this virus uses.

Details
My details
Your details
Your application
Thank you!
Wicked screensaver
That movie

Now i have this setup to block all occurances of this using *'s. Think about those subject lines just for a second and you'll see the problem. Valid emails could be blocked, if it comes with this subject header. And since this bug spoofs the senders email address is there any other way to block it? If someone sends a valid email with those subjects they wont even know that it didnt make it through because the message is dropped.

Ideas??
August 20th, 2003, 05:36 PM
phishphreek

Damn, this one is going crazy!

I've recieved 190+ of these on one single address! I've setup an auto reply to those emails using the subject as a filter. I replied informing them they have been infected and with a link to instructions on how to remove it from their system.

Hopefully people start updating their defs soon... I'm tired of these things already!
August 20th, 2003, 05:55 PM
Maverick811

We've got a few guys that work here that, because of the nature of the business they are involved with, their email addresses are all over the public - those guys are getting absolutely slammed with this thing, but like I stated earlier, I've got the trusty firewall blocking it all, so no harm done....
August 20th, 2003, 06:10 PM
thadbme

3200+ and counting, how are you blocking these through the firewall? is it a local firewall or for the network? I'm curious, these are coming from who knows where because of the spoofed sender, frankly i'd rather live without all of the notifications. I think we've got the idea after the first 2000. Its mainly just an annoyance, but i've got a feeling this might be one of those that we'll have to live with for awile, according to Symantec it will stop on the 10th of September, atleast i'm hoping so!
August 20th, 2003, 06:18 PM
thehorse13

Our mail servers have gotten 12,342 messages of all varients of the subject line. We are filtering the messages at the server level (both payload and subject line filters) via Exchange's management tool so the individual's mail store never gets the delivery. Needless to say, we're stripping out the virus with our enterprise AV solution long before it gets to the mail store.

It's amazing how many people out there don't actively update their AV scanner.
August 20th, 2003, 06:37 PM
thadbme

i'm using subject line filters to block them not payload, the individual never gets the mail message, however we receive notification of a violation and a drop message, i'm trying to figure out how to block this critter from ever touching our mail relays, i could always turn off logging due to the volume but if something else tries to make it through i'd like to be aware of it. Sounds like your getting hit pretty hard as well, are you getting the loads of notifications.

I guess my question is am i just going to have to live with this, or is there some clever and devious way that i could put a stop to it. via, figuring out who these are coming from (assuming its not from 100's of users, to possibly notify them of problem as mentioned earlier) Or just to get the message to stone cold turn it away, like it never saw it, to avoid getting 3000 more messages by this time tomorrow.
August 20th, 2003, 06:58 PM
er0k

when are people going to learn not to open attachments unless they have been cleaned first...
August 20th, 2003, 07:11 PM
ol jeb

I think we need to take the computers away from all of these STUPID users and give them an etch-a-sketch. there is even tech support for it here: http://www.shanemcdonald.com/laughs/l-etchascetch.html
August 20th, 2003, 07:19 PM
haguec

My IDS's went crazy with just one internal host, logged over 1000 alerts a min. The PC had over 100 connections open to port 25 on remote hosts...
Nice way to bog down networks
August 20th, 2003, 08:46 PM
Zonewalker

I have to admit this one seems to be way more effective at spreading than most other viri I've seen - I've been getting in the region of 150+ notifications just on my email at work today...

Quote:

when are people going to learn not to open attachments unless they have been cleaned first...

probably when Hell freezes over er0k :D

Z
August 21st, 2003, 12:24 AM
lumpyporridge

I wonder what it will be like by the time we hit sobigt? The planned self destruction of the last and release of the next variant seems to just keep on going and going. This one seems to be a big one, the openbsdmisc list is almost half virus removed warnings today.
August 21st, 2003, 12:20 PM
Und3ertak3r

Is it me or are we in the middle of the heaviest period of virii releases.. ever? or more to the point wild spreaders.. never seen somany cat 3 and 4 alerts on the Symantec site..

cheers..
August 22nd, 2003, 06:43 PM
mohaughn

It looks like sobig has an as of yet unidentified payload coming up shortly...

http://www.sophos.com/virusinfo/arti...obigextra.html
August 24th, 2003, 12:57 PM
Und3ertak3r

Hi Guy's,

Found this tonight..on Tech-Critic

Quote:

The FBI subpoenaed an Arizona Internet service provider to trace the culprit behind a fast-spreading e-mail virus that security experts said may have first been posted to an adult pictures Internet site.
One expert said the Sobig.F e-mail virus was disguised so that anyone who clicked on a link purporting to show a sexually graphic picture became infected with the self-replicating worm, which then spread itself to other e-mail addresses.

"Sobig.F was first posted to a porn Usenet group," said Jimmy Kuo, research fellow at antivirus software maker Network Associates. Usenet is a popular forum on the Internet where computer users with similar interests post and read messages.

Cheers
August 24th, 2003, 05:20 PM
thadbme

worm operation theory / question

question for understanding purposes... i've put a great deal of thought into this as have many in our shop. We have the extensions as well as the subject lines blocked so we do not scare the customers... however every now and then a customer will get an email saying something to the effect of "an email you sent had an infected attachment xxx.pif (whatever the name would be) ... and it says to contact the system administrator"

now according to symantecs info on the worm

W32.Sobig.F@mm uses a technique known as "spoofing," by which the worm randomly selects an address it finds on an infected computer. The worm uses this address as the "From" address when it performs its mass-mailing routine. Numerous cases have been reported in which users of uninfected computers received complaints that they sent an infected message to another individual.

taken from http://[email protected]

the way i read that is if a user outside of our network had one of our customers in their address book, the worm could then take and use their address to send out to everyone the address book contains.

i'm pretty sure that is correct.. now...

when these emails get detected as an infected email, it sends it back to the "sender" which in this case would be one of our customers. So they get an email inside our network saying that an attachment they sent was infected. Of course they dont know who they sent it to, nor remember sending the email...

Is this what is happening? Its the only thing that i can possibly think of to explain it. Help me out!
August 24th, 2003, 05:34 PM
Tedob1

Quote:

Originally posted here by thehorse13

It's amazing how many people out there don't actively update their AV scanner.

amazing isn't quite the word i would chose.
August 25th, 2003, 04:23 PM
mohaughn

Quote:

Is this what is happening? Its the only thing that i can possibly think of to explain it. Help me out!

That is exactly what is happening. With this type of virus method becoming more common, first klez now SoBIG, it will only be a matter of time until the default setting for most AV software is not to send a message back to the "sender" of the virii. Or atleast most people will start turning it off.