New Sobig variation on the loose W32/Sobig.F-mm

Discussion in 'Computer Security' started by Lord Shaolin, Aug 19, 2003.

  1. Lord Shaolin

    Lord Shaolin Guest

    Full Info at: http://www.security-forums.com/forum/viewtopic.php?t=7662

    Warning: dangerous new variant of "Sobig" family spreading

    On 18th August 2003, MessageLabs the email security company intercepted
    several copies of a
    mass-mailing virus which were identified as W32/Sobig.F-mm. The initial
    copies all originated
    from the United States.

    http://www.messagelabs.com/viruseye/info/default.asp?virusname=W32/Sobig.F-mm

    --

    -+ Shaolin +-
    Discard what is useless, absorb what is not and
    add what is uniquely your own.

    .: http://www.security-forums.com :.
     
    Lord Shaolin, Aug 19, 2003
    #1
    1. Advertisements

  2. Yup, it's on the loose. Our mail server has intercepted over 85
    infected emails in the last 3 hours... It's insane! I hope it slows
    down soon, or else I'll be spending the rest of my day deleting email
    from my inbox! Shouldn't this virus be upgraded to a "4" by now?
     
    Babe Ruthless, Aug 19, 2003
    #2
    1. Advertisements

  3. I know the feeling. I have had 8 in the last 30 minutes on the work
    account. The one that really suprises me is the yahoo account. I know I
    got 20-30 last night, and haven't looked this morning. I guess I ought to
    so I can keep getting mail

    --
    Kendal R. Emery, MCSE, Network+, A+, MCNGP #19
    Systems Administrator
    Coordinated Home Care

    remove me to email to me
    group.
     
    Simon Telrenner, Aug 20, 2003
    #3
  4. Lord Shaolin

    Bill Unruh Guest

    ]I know the feeling. I have had 8 in the last 30 minutes on the work
    ]account. The one that really suprises me is the yahoo account. I know I
    ]got 20-30 last night, and haven't looked this morning. I guess I ought to
    ]so I can keep getting mail

    ]--
    ]Kendal R. Emery, MCSE, Network+, A+, MCNGP #19
    ]Systems Administrator
    ]Coordinated Home Care
    ]
    ]remove me to email to me
    ]]> In article <>,
    ]> >Yup, it's on the loose. Our mail server has intercepted over 85
    ]> >infected emails in the last 3 hours... It's insane! I hope it slows
    ]> >down soon, or else I'll be spending the rest of my day deleting email
    ]> >from my inbox! Shouldn't this virus be upgraded to a "4" by now?
    ]>
    ]> Yep, very annoying. I'm getting lots of bounce messages because my
    ]address
    ]> is being forged as the sender of many of them. Since I post frequently to
    ]> Usenet, I'm apparently in thousands of people's address books.

    I get loads of bounce messages, almost all coming from the John Deere
    company as the original ReceivedFrom site.(well over a hundred in the
    past day). And I get about 20 an hour coming to me directly. (someone
    must be stripping the attachments, because none have the attachement)
     
    Bill Unruh, Aug 21, 2003
    #4
  5. And I noticed that a disproportionate number of my bounces came from people
    I think read comp.lang.lisp, a newsgroup I post to frequently. It seems
    like the virus is somehow able to pick an "appropriate" sender to forge for
    particular destinations, presumably to make the message look legitimate.
    It made me think my machine was infected, but my AV software seems to be up
    to date and I couldn't find any of the files that the virus writes on my
    disk.
     
    Barry Margolin, Aug 21, 2003
    #5
  6. Lord Shaolin

    Bill Unruh Guest

    ]In article <bi1k0g$8f3$>,
    ]>I get loads of bounce messages, almost all coming from the John Deere
    ]>company as the original ReceivedFrom site.(well over a hundred in the
    ]>past day). And I get about 20 an hour coming to me directly. (someone
    ]>must be stripping the attachments, because none have the attachement)

    ]And I noticed that a disproportionate number of my bounces came from people
    ]I think read comp.lang.lisp, a newsgroup I post to frequently. It seems
    ]like the virus is somehow able to pick an "appropriate" sender to forge for
    ]particular destinations, presumably to make the message look legitimate.
    ]It made me think my machine was infected, but my AV software seems to be up
    ]to date and I couldn't find any of the files that the virus writes on my
    ]disk.

    Yes, it certainly forges the sender. Not sure where the John Deere stuff comes
    from (if it is them-- ARIN claims the address range as theirs, but John Deere
    does not know about it), since I certainly do not contribute to agricultural
    newgroups (although some of the newsgroups could be characterised as
    contributing to the fertiliser store in the US.)
    Since I run Linux, I do not see how my machine could be infected.
     
    Bill Unruh, Aug 21, 2003
    #6
  7. Lord Shaolin

    Bit Twister Guest

    There is some speculating because of the rapid spread of the virus
    a spam list may have been used to get it going. Names may have been
    pulled from usenet.
     
    Bit Twister, Aug 21, 2003
    #7
  8. Lord Shaolin

    Jim Watt Guest

    hmmm it arrived here this afternoon. The world is shrinking.
     
    Jim Watt, Aug 22, 2003
    #8
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.