[H] Virus, Sobig.F
Posted: Thu Apr 08, 2004 6:18 pm
Sorry to say our computer seemed to be infected with a virus, that might
have sent a email, containing an attachment. In case you received a file
and opened it, you can remove the virus with the W32.Sobig.F@mm Removal
Tool that you can download at:
http://securityresponse.symantec.com/av ... .tool.html
Information on the virus:
W32.Sobig.F@mm is a mass-mailing, network-aware worm that sends itself to
all the email addresses it finds in the files that have the following
extensions:
· .dbx
· .eml
· .hlp
· .htm
· .html
· .mht
· .wab
· .txt
The worm uses its own SMTP engine to propagate. It also attempts to create
a copy of itself on accessible network shares, but fails due to bugs in the
code.
Email routine details
The email message has the following characteristics:
From: Spoofed address (which means that the sender in the "From" field is
most likely not the real sender). The worm may also use the address,
admin@internet.com, as the sender.
NOTES:
· The spoofed addresses and the Send To addresses are both taken from
the files found on the computer. Also, the worm may use the settings of the
infected computer's settings to check for an SMTP server to contact.
· The choice of the internet.com domain appears to be arbitrary and
does not have any connection to the actual domain or its parent company.
Subject:
· Re: Details
· Re: Approved
· Re: Re: My details
· Re: Thank you!
· Re: That movie
· Re: Wicked screensaver
· Re: Your application
· Thank you!
· Your details
Body:
· See the attached file for details
· Please see the attached file for details.
Attachment:
· your_document.pif
· document_all.pif
· thank_you.pif
· your_details.pif
· details.pif
· document_9446.pif
· application.pif
· wicked_scr.scr
· movie0045.pif
NOTES:
· The worm de-activates on September 10, 2003. The last day after
which the worm should stop spreading is September 9, 2003. However,
computers with out of date system clocks are still vulnerable to the worm
and may contribute to its spread after the de-activation date.
· The aforementioned de-activation date applies only to the
mass-mailing, network propagation, and email address collection routines.
This means that a W32.Sobig.F@mm-infected computer will still attempt to
download the updates from the respective list of master servers during the
associated trigger period, even after the infection de-activation date.
Previous variants of Sobig exhibited similar behavior.
· Outbound udp traffic was observed on August 22nd, coming from
systems infected with both Sobig.E and Sobig.F. However, the target IP
addresses were either not responding, taken offline, or contained
non-executable content; that is, a link to an adult site.
· W32.Sobig.F@mm uses a technique known as "email spoofing," by which
the worm randomly selects an address it finds on an infected computer. For
more information on email spoofing, see the "Technical Details" section below.
Symantec Security Response has developed a removal tool to clean the
infections of W32.Sobig.F@mm.
---------------
"It is the life-force which cures diseases because a dead man needs no more
medicines."
Samuel Hahnemann
Visit our website on Hahnemannian Homoeopathy and Cyberspace Homoeopathic
Academy at
http://www.simillimum.com
David Little © 2000
_______________________________________________
Homeopathy Mailing List
homeopathy@homeolist.com
http://www.homeolist.com/mailman/listinfo/homeopathy
have sent a email, containing an attachment. In case you received a file
and opened it, you can remove the virus with the W32.Sobig.F@mm Removal
Tool that you can download at:
http://securityresponse.symantec.com/av ... .tool.html
Information on the virus:
W32.Sobig.F@mm is a mass-mailing, network-aware worm that sends itself to
all the email addresses it finds in the files that have the following
extensions:
· .dbx
· .eml
· .hlp
· .htm
· .html
· .mht
· .wab
· .txt
The worm uses its own SMTP engine to propagate. It also attempts to create
a copy of itself on accessible network shares, but fails due to bugs in the
code.
Email routine details
The email message has the following characteristics:
From: Spoofed address (which means that the sender in the "From" field is
most likely not the real sender). The worm may also use the address,
admin@internet.com, as the sender.
NOTES:
· The spoofed addresses and the Send To addresses are both taken from
the files found on the computer. Also, the worm may use the settings of the
infected computer's settings to check for an SMTP server to contact.
· The choice of the internet.com domain appears to be arbitrary and
does not have any connection to the actual domain or its parent company.
Subject:
· Re: Details
· Re: Approved
· Re: Re: My details
· Re: Thank you!
· Re: That movie
· Re: Wicked screensaver
· Re: Your application
· Thank you!
· Your details
Body:
· See the attached file for details
· Please see the attached file for details.
Attachment:
· your_document.pif
· document_all.pif
· thank_you.pif
· your_details.pif
· details.pif
· document_9446.pif
· application.pif
· wicked_scr.scr
· movie0045.pif
NOTES:
· The worm de-activates on September 10, 2003. The last day after
which the worm should stop spreading is September 9, 2003. However,
computers with out of date system clocks are still vulnerable to the worm
and may contribute to its spread after the de-activation date.
· The aforementioned de-activation date applies only to the
mass-mailing, network propagation, and email address collection routines.
This means that a W32.Sobig.F@mm-infected computer will still attempt to
download the updates from the respective list of master servers during the
associated trigger period, even after the infection de-activation date.
Previous variants of Sobig exhibited similar behavior.
· Outbound udp traffic was observed on August 22nd, coming from
systems infected with both Sobig.E and Sobig.F. However, the target IP
addresses were either not responding, taken offline, or contained
non-executable content; that is, a link to an adult site.
· W32.Sobig.F@mm uses a technique known as "email spoofing," by which
the worm randomly selects an address it finds on an infected computer. For
more information on email spoofing, see the "Technical Details" section below.
Symantec Security Response has developed a removal tool to clean the
infections of W32.Sobig.F@mm.
---------------
"It is the life-force which cures diseases because a dead man needs no more
medicines."
Samuel Hahnemann
Visit our website on Hahnemannian Homoeopathy and Cyberspace Homoeopathic
Academy at
http://www.simillimum.com
David Little © 2000
_______________________________________________
Homeopathy Mailing List
homeopathy@homeolist.com
http://www.homeolist.com/mailman/listinfo/homeopathy