Mustang and Ford Performance Forums banner
1 - 8 of 8 Posts

·
Premium Member
Joined
·
19,260 Posts
Discussion Starter · #1 ·
For the past 3 weeks or so, my inbox has been flooded with emails with attachments. I know better than open them, so I have just been deleting them.

I finally got tired of deleting them, and searched Symantec's site for more information on the virus.

Here is what I found.

Due to the number of submissions received from customers, Symantec Security Response has upgraded this threat to a Category 4 from a Category 3 threat as of August 21, 2003.

[email protected] is a mass-mailing, network-aware worm that sends itself to all the email addresses it finds in the files that have the following extensions:

.dbx
.eml
.hlp
.htm
.html
.mht
.wab
.txt

The worm uses its own SMTP engine to propagate. It also attempts to create a copy of itself on accessible network shares, but fails due to bugs in the code.

Email routine details
The email message has the following characteristics:

From: Spoofed address (which means that the sender in the "From" field is most likely not the real sender). The worm may also use the address, [email protected], as the sender.

NOTES:
The spoofed addresses and the Send To addresses are both taken from the files found on the computer. Also, the worm may use the settings of the infected computer's settings to check for an SMTP server to contact.
The choice of the internet.com domain appears to be arbitrary and does not have any connection to the actual domain or its parent company.

Subject:
Re: Details
Re: Approved
Re: Re: My details
Re: Thank you!
Re: That movie
Re: Wicked screensaver
Re: Your application
Thank you!
Your details

Body:
See the attached file for details
Please see the attached file for details.

Attachment:
your_document.pif
document_all.pif
thank_you.pif
your_details.pif
details.pif
document_9446.pif
application.pif
wicked_scr.scr
movie0045.pif

NOTES:
The worm de-activates on September 10, 2003. The last day on which the worm will spread is September 9, 2003.
The aforementioned de-activation date applies only to the mass-mailing, network propagation, and email address collection routines. This means that a [email protected] computer will still attempt to download the updates from the respective list of master servers during the associated trigger period, even after the infection de-activation date. Previous variants of Sobig exhibited similar behavior.
Outbound udp traffic was observed on August 22nd, coming from systems infected with both Sobig.E and Sobig.F. However, the target IP addresses were either not responding, taken offline, or contained non-executable content; that is, a link to an adult site.
[email protected] uses a technique known as "email spoofing," by which the worm randomly selects an address it finds on an infected computer. For more information on email spoofing, see the "Technical Details" section below.

Symantec Security Response has developed a removal tool to clean the infections of [email protected]

Also Known As: Sobig.F [F-Secure], W32/[email protected] [McAfee], WORM SOBIG.F [Trend], W32/Sobig-F [Sophos], Win32.Sobig.F [CA], I-Worm.Sobig.f [KAV]

Type: Worm
Infection Length: about 72,000 bytes

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Systems Not Affected: Linux, Macintosh, OS/2, UNIX, Windows 3.x
I'll be patiently awaiting September 9th! If you email me and I haven't replied, its possible that I could have deleted your email, or that I just didn't see it. I am getting hundreds of these emails by the hour.
 

·
Registered
Joined
·
652 Posts
We get about 150 a day at the dealership. Yesterday I got an email that said,"let's get together, it's been awhile". Next I got one that said, "let's meet at the pub". I deleted both, when I went to my desktop, I had five new folders. When I click on IE, it took me to surferbar.com. It also put five icons on my address bar for porno sites. I changed the properties for IE and it would go right back to surferbar.com. This is a brand new spy ware that noone has a fix for. I read up on it on Yahoo and followed the instruction to manually delete it from the registry. Everytime I would go on IE and I would be reading something, it would open a new window to surferbar.com. What a PITA!!!!! RAY:confused: :shocked Read this: http://www.pchell.com/support/surferbar.shtml
 

·
Registered
Joined
·
38 Posts
Hey Eric, Thanks for the link to that AVG site. I haven't had a problem with virsus's but I didn't feel like shelling out the bucks for another copy of nortons and this AVG does appear to work very well.

Chris
 

·
Registered
Joined
·
119 Posts
It's possible that you have been getting them from the same computer. Although the emails list different names in the "From:" portion, as you found that is just a spoof. Check the email headers and you may find they are actually being sent from the same computer. Block that IP address at your mail server and the viruses will stop provided the sender’s IP does not change again.
 

·
Registered
Joined
·
518 Posts
I had the same problem. Everytime I would check my mail I would get 5 or so. I could immediately recheck it and have 5 more. But, they all of sudden just quit coming. AVG does work real well, and best of all it is FREE.


Brandon
 
1 - 8 of 8 Posts
Top