New Sobig variation on the loose W32/Sobig.F-mm

Discussion in 'Computer Security' started by Lord Shaolin, Aug 19, 2003.

  1. Lord Shaolin

    Lord Shaolin Guest

    Full Info at: http://www.security-forums.com/forum/viewtopic.php?t=7662

    Warning: dangerous new variant of "Sobig" family spreading

    On 18th August 2003, MessageLabs the email security company intercepted
    several copies of a
    mass-mailing virus which were identified as W32/Sobig.F-mm. The initial
    copies all originated
    from the United States.

    http://www.messagelabs.com/viruseye/info/default.asp?virusname=W32/Sobig.F-mm

    --

    -+ Shaolin +-
    Discard what is useless, absorb what is not and
    add what is uniquely your own.

    .: http://www.security-forums.com :.
    Lord Shaolin, Aug 19, 2003
    #1
    1. Advertising

  2. Yup, it's on the loose. Our mail server has intercepted over 85
    infected emails in the last 3 hours... It's insane! I hope it slows
    down soon, or else I'll be spending the rest of my day deleting email
    from my inbox! Shouldn't this virus be upgraded to a "4" by now?

    "Lord Shaolin" <abuse@127.0.0.1> wrote in message news:<>...
    > Full Info at: http://www.security-forums.com/forum/viewtopic.php?t=7662
    >
    > Warning: dangerous new variant of "Sobig" family spreading
    >
    > On 18th August 2003, MessageLabs the email security company intercepted
    > several copies of a
    > mass-mailing virus which were identified as W32/Sobig.F-mm. The initial
    > copies all originated
    > from the United States.
    >
    > http://www.messagelabs.com/viruseye/info/default.asp?virusname=W32/Sobig.F-mm
    Babe Ruthless, Aug 19, 2003
    #2
    1. Advertising

  3. I know the feeling. I have had 8 in the last 30 minutes on the work
    account. The one that really suprises me is the yahoo account. I know I
    got 20-30 last night, and haven't looked this morning. I guess I ought to
    so I can keep getting mail

    --
    Kendal R. Emery, MCSE, Network+, A+, MCNGP #19
    Systems Administrator
    Coordinated Home Care

    remove me to email to me
    "Barry Margolin" <> wrote in message
    news:u2v0b.224$3.com...
    > In article <>,
    > Babe Ruthless <> wrote:
    > >Yup, it's on the loose. Our mail server has intercepted over 85
    > >infected emails in the last 3 hours... It's insane! I hope it slows
    > >down soon, or else I'll be spending the rest of my day deleting email
    > >from my inbox! Shouldn't this virus be upgraded to a "4" by now?

    >
    > Yep, very annoying. I'm getting lots of bounce messages because my

    address
    > is being forged as the sender of many of them. Since I post frequently to
    > Usenet, I'm apparently in thousands of people's address books.
    >
    > --
    > Barry Margolin,
    > Level(3), Woburn, MA
    > *** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to

    newsgroups.
    > Please DON'T copy followups to me -- I'll assume it wasn't posted to the

    group.
    Simon Telrenner, Aug 20, 2003
    #3
  4. Lord Shaolin

    Bill Unruh Guest

    "Simon Telrenner" <> writes:

    ]I know the feeling. I have had 8 in the last 30 minutes on the work
    ]account. The one that really suprises me is the yahoo account. I know I
    ]got 20-30 last night, and haven't looked this morning. I guess I ought to
    ]so I can keep getting mail

    ]--
    ]Kendal R. Emery, MCSE, Network+, A+, MCNGP #19
    ]Systems Administrator
    ]Coordinated Home Care
    ]
    ]remove me to email to me
    ]"Barry Margolin" <> wrote in message
    ]news:u2v0b.224$3.com...
    ]> In article <>,
    ]> Babe Ruthless <> wrote:
    ]> >Yup, it's on the loose. Our mail server has intercepted over 85
    ]> >infected emails in the last 3 hours... It's insane! I hope it slows
    ]> >down soon, or else I'll be spending the rest of my day deleting email
    ]> >from my inbox! Shouldn't this virus be upgraded to a "4" by now?
    ]>
    ]> Yep, very annoying. I'm getting lots of bounce messages because my
    ]address
    ]> is being forged as the sender of many of them. Since I post frequently to
    ]> Usenet, I'm apparently in thousands of people's address books.

    I get loads of bounce messages, almost all coming from the John Deere
    company as the original ReceivedFrom site.(well over a hundred in the
    past day). And I get about 20 an hour coming to me directly. (someone
    must be stripping the attachments, because none have the attachement)
    Bill Unruh, Aug 21, 2003
    #4
  5. In article <bi1k0g$8f3$>,
    Bill Unruh <> wrote:
    >I get loads of bounce messages, almost all coming from the John Deere
    >company as the original ReceivedFrom site.(well over a hundred in the
    >past day). And I get about 20 an hour coming to me directly. (someone
    >must be stripping the attachments, because none have the attachement)


    And I noticed that a disproportionate number of my bounces came from people
    I think read comp.lang.lisp, a newsgroup I post to frequently. It seems
    like the virus is somehow able to pick an "appropriate" sender to forge for
    particular destinations, presumably to make the message look legitimate.
    It made me think my machine was infected, but my AV software seems to be up
    to date and I couldn't find any of the files that the virus writes on my
    disk.

    --
    Barry Margolin,
    Level(3), Woburn, MA
    *** DON'T SEND TECHNICAL QUESTIONS DIRECTLY TO ME, post them to newsgroups.
    Please DON'T copy followups to me -- I'll assume it wasn't posted to the group.
    Barry Margolin, Aug 21, 2003
    #5
  6. Lord Shaolin

    Bill Unruh Guest

    Barry Margolin <> writes:

    ]In article <bi1k0g$8f3$>,
    ]Bill Unruh <> wrote:
    ]>I get loads of bounce messages, almost all coming from the John Deere
    ]>company as the original ReceivedFrom site.(well over a hundred in the
    ]>past day). And I get about 20 an hour coming to me directly. (someone
    ]>must be stripping the attachments, because none have the attachement)

    ]And I noticed that a disproportionate number of my bounces came from people
    ]I think read comp.lang.lisp, a newsgroup I post to frequently. It seems
    ]like the virus is somehow able to pick an "appropriate" sender to forge for
    ]particular destinations, presumably to make the message look legitimate.
    ]It made me think my machine was infected, but my AV software seems to be up
    ]to date and I couldn't find any of the files that the virus writes on my
    ]disk.

    Yes, it certainly forges the sender. Not sure where the John Deere stuff comes
    from (if it is them-- ARIN claims the address range as theirs, but John Deere
    does not know about it), since I certainly do not contribute to agricultural
    newgroups (although some of the newsgroups could be characterised as
    contributing to the fertiliser store in the US.)
    Since I run Linux, I do not see how my machine could be infected.
    Bill Unruh, Aug 21, 2003
    #6
  7. Lord Shaolin

    Bit Twister Guest

    On Thu, 21 Aug 2003 17:48:53 +0000 (UTC), Bill Unruh wrote:
    > Yes, it certainly forges the sender. Not sure where the John Deere stuff comes
    > from (if it is them-- ARIN claims the address range as theirs, but John Deere
    > does not know about it), since I certainly do not contribute to agricultural
    > newgroups (although some of the newsgroups could be characterised as
    > contributing to the fertiliser store in the US.)
    > Since I run Linux, I do not see how my machine could be infected.


    There is some speculating because of the rapid spread of the virus
    a spam list may have been used to get it going. Names may have been
    pulled from usenet.
    Bit Twister, Aug 21, 2003
    #7
  8. Lord Shaolin

    Jim Watt Guest

    On Tue, 19 Aug 2003 15:56:08 +0100, "Lord Shaolin" <abuse@127.0.0.1>
    wrote:

    >Full Info at: http://www.security-forums.com/forum/viewtopic.php?t=7662
    >
    >Warning: dangerous new variant of "Sobig" family spreading
    >
    >On 18th August 2003, MessageLabs the email security company intercepted
    >several copies of a
    >mass-mailing virus which were identified as W32/Sobig.F-mm. The initial
    >copies all originated
    >from the United States.
    >
    >http://www.messagelabs.com/viruseye/info/default.asp?virusname=W32/Sobig.F-mm


    hmmm it arrived here this afternoon. The world is shrinking.
    --
    Jim Watt http://www.gibnet.com
    Jim Watt, Aug 22, 2003
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Bob Daun

    Severe Light Variation

    Bob Daun, Aug 5, 2004, in forum: Digital Photography
    Replies:
    4
    Views:
    403
    Ken Weitzel
    Aug 5, 2004
  2. MB

    Li-Ion batt for D70: vast variation in price

    MB, Nov 17, 2004, in forum: Digital Photography
    Replies:
    11
    Views:
    424
    Jerry G.
    Nov 21, 2004
  3. Rich

    Fuji and the horror of complex lens variation

    Rich, Nov 27, 2005, in forum: Digital Photography
    Replies:
    18
    Views:
    497
  4. ufo_hk

    W32.Sobig.F@ virus

    ufo_hk, Aug 25, 2003, in forum: NZ Computing
    Replies:
    0
    Views:
    327
    ufo_hk
    Aug 25, 2003
  5. Crazymiclo30

    W32.Sobig.F@mm

    Crazymiclo30, Aug 19, 2003, in forum: A+ Certification
    Replies:
    7
    Views:
    343
    Tom MacIntyre
    Aug 21, 2003
Loading...

Share This Page