|
|
|
|
|
|||||||
 |
Computer Security - New Sobig variation on the loose W32/Sobig.F-mm |
|
|
Thread Tools | Search this Thread |
08-19-2003, 03:56 PM
|
#1 |
New Sobig variation on the loose W32/Sobig.F-mm
Full Info at: http://www.security-forums.com/forum...pic.php?t=7662
Warning: dangerous new variant of "Sobig" family spreading On 18th August 2003, MessageLabs the email security company intercepted several copies of a mass-mailing virus which were identified as W32/Sobig.F-mm. The initial copies all originated from the United States. http://www.messagelabs.com/viruseye/...Sobig%2EF%2Dmm -- -+ Shaolin +- Discard what is useless, absorb what is not and add what is uniquely your own. .: http://www.security-forums.com :. Lord Shaolin |
|
|
|
08-19-2003, 07:01 PM
|
#2 |
|
Posts: n/a
|
Re: New Sobig variation on the loose W32/Sobig.F-mm
Yup, it's on the loose. Our mail server has intercepted over 85
infected emails in the last 3 hours... It's insane! I hope it slows down soon, or else I'll be spending the rest of my day deleting email from my inbox! Shouldn't this virus be upgraded to a "4" by now? "Lord Shaolin" <abuse@127.0.0.1> wrote in message news:<>... > Full Info at: http://www.security-forums.com/forum...pic.php?t=7662 > > Warning: dangerous new variant of "Sobig" family spreading > > On 18th August 2003, MessageLabs the email security company intercepted > several copies of a > mass-mailing virus which were identified as W32/Sobig.F-mm. The initial > copies all originated > from the United States. > > http://www.messagelabs.com/viruseye/...Sobig%2EF%2Dmm |
|
|
|
08-20-2003, 04:27 PM
|
#3 |
|
Posts: n/a
|
Re: New Sobig variation on the loose W32/Sobig.F-mm
I know the feeling. I have had 8 in the last 30 minutes on the work
account. The one that really suprises me is the yahoo account. I know I got 20-30 last night, and haven't looked this morning. I guess I ought to so I can keep getting mail -- Kendal R. Emery, MCSE, Network+, A+, MCNGP #19 Systems Administrator Coordinated Home Care remove me to email to me "Barry Margolin" <> wrote in message news:u2v0b.224$... > In article <>, > Babe Ruthless <> wrote: > >Yup, it's on the loose. Our mail server has intercepted over 85 > >infected emails in the last 3 hours... It's insane! I hope it slows > >down soon, or else I'll be spending the rest of my day deleting email > >from my inbox! Shouldn't this virus be upgraded to a "4" by now? > > Yep, very annoying. I'm getting lots of bounce messages because my address > is being forged as the sender of many of them. Since I post frequently to > Usenet, I'm apparently in thousands of people's address books. > > -- > Barry Margolin, > Level(3), Woburn, MA > *** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups. > Please DON'T copy followups to me -- I'll assume it wasn't posted to the group. |
|
|
|
08-21-2003, 06:06 AM
|
#4 |
|
Posts: n/a
|
Re: New Sobig variation on the loose W32/Sobig.F-mm
"Simon Telrenner" <> writes:
]I know the feeling. I have had 8 in the last 30 minutes on the work ]account. The one that really suprises me is the yahoo account. I know I ]got 20-30 last night, and haven't looked this morning. I guess I ought to ]so I can keep getting mail ]-- ]Kendal R. Emery, MCSE, Network+, A+, MCNGP #19 ]Systems Administrator ]Coordinated Home Care ] ]remove me to email to me ]"Barry Margolin" <> wrote in message ]news:u2v0b.224$... ]> In article <>, ]> Babe Ruthless <> wrote: ]> >Yup, it's on the loose. Our mail server has intercepted over 85 ]> >infected emails in the last 3 hours... It's insane! I hope it slows ]> >down soon, or else I'll be spending the rest of my day deleting email ]> >from my inbox! Shouldn't this virus be upgraded to a "4" by now? ]> ]> Yep, very annoying. I'm getting lots of bounce messages because my ]address ]> is being forged as the sender of many of them. Since I post frequently to ]> Usenet, I'm apparently in thousands of people's address books. I get loads of bounce messages, almost all coming from the John Deere company as the original ReceivedFrom site.(well over a hundred in the past day). And I get about 20 an hour coming to me directly. (someone must be stripping the attachments, because none have the attachement) |
|
|
|
08-21-2003, 03:09 PM
|
#5 |
|
Posts: n/a
|
Re: New Sobig variation on the loose W32/Sobig.F-mm
In article <bi1k0g$8f3$>,
Bill Unruh <> wrote: >I get loads of bounce messages, almost all coming from the John Deere >company as the original ReceivedFrom site.(well over a hundred in the >past day). And I get about 20 an hour coming to me directly. (someone >must be stripping the attachments, because none have the attachement) And I noticed that a disproportionate number of my bounces came from people I think read comp.lang.lisp, a newsgroup I post to frequently. It seems like the virus is somehow able to pick an "appropriate" sender to forge for particular destinations, presumably to make the message look legitimate. It made me think my machine was infected, but my AV software seems to be up to date and I couldn't find any of the files that the virus writes on my disk. -- Barry Margolin, Level(3), Woburn, MA *** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups. Please DON'T copy followups to me -- I'll assume it wasn't posted to the group. |
|
|
|
08-21-2003, 06:48 PM
|
#6 |
|
Posts: n/a
|
Re: New Sobig variation on the loose W32/Sobig.F-mm
Barry Margolin <> writes:
]In article <bi1k0g$8f3$>, ]Bill Unruh <> wrote: ]>I get loads of bounce messages, almost all coming from the John Deere ]>company as the original ReceivedFrom site.(well over a hundred in the ]>past day). And I get about 20 an hour coming to me directly. (someone ]>must be stripping the attachments, because none have the attachement) ]And I noticed that a disproportionate number of my bounces came from people ]I think read comp.lang.lisp, a newsgroup I post to frequently. It seems ]like the virus is somehow able to pick an "appropriate" sender to forge for ]particular destinations, presumably to make the message look legitimate. ]It made me think my machine was infected, but my AV software seems to be up ]to date and I couldn't find any of the files that the virus writes on my ]disk. Yes, it certainly forges the sender. Not sure where the John Deere stuff comes from (if it is them-- ARIN claims the address range as theirs, but John Deere does not know about it), since I certainly do not contribute to agricultural newgroups (although some of the newsgroups could be characterised as contributing to the fertiliser store in the US.) Since I run Linux, I do not see how my machine could be infected. |
|
|
|
08-21-2003, 07:21 PM
|
#7 |
|
Posts: n/a
|
Re: New Sobig variation on the loose W32/Sobig.F-mm
On Thu, 21 Aug 2003 17:48:53 +0000 (UTC), Bill Unruh wrote:
> Yes, it certainly forges the sender. Not sure where the John Deere stuff comes > from (if it is them-- ARIN claims the address range as theirs, but John Deere > does not know about it), since I certainly do not contribute to agricultural > newgroups (although some of the newsgroups could be characterised as > contributing to the fertiliser store in the US.) > Since I run Linux, I do not see how my machine could be infected. There is some speculating because of the rapid spread of the virus a spam list may have been used to get it going. Names may have been pulled from usenet. |
|
|
|
08-22-2003, 12:04 AM
|
#8 |
|
Posts: n/a
|
Re: New Sobig variation on the loose W32/Sobig.F-mm
On Tue, 19 Aug 2003 15:56:08 +0100, "Lord Shaolin" <abuse@127.0.0.1>
wrote: >Full Info at: http://www.security-forums.com/forum...pic.php?t=7662 > >Warning: dangerous new variant of "Sobig" family spreading > >On 18th August 2003, MessageLabs the email security company intercepted >several copies of a >mass-mailing virus which were identified as W32/Sobig.F-mm. The initial >copies all originated >from the United States. > >http://www.messagelabs.com/viruseye/...Sobig%2EF%2Dmm hmmm it arrived here this afternoon. The world is shrinking. -- Jim Watt http://www.gibnet.com |
|
|
