Virus W32.SoBig.f@mm is still going strong!

Well I hadnt check my yahoo mail for a week or so and went to see if there was anything good there? Big mistake, well not as such as I do have Norton Virus protection etc, but was suprised to find these (below in my 'bulk post')!




from: [email protected]
file name: application.pif
file type: application/octet-stream


from: [email protected]
file name: your_details.pif
file type: application/octet-stream

from: [email protected]
file name: document_all.pif
file type: application/octet-stream



The first was sent last Thursday 28th August at 14.32pm

The second was sent Sunday 31st August 09.57am

And the last one came this morning 3rd September 07.34am


And where did they all come from, yes thats right: W32.SoBig.f@mm

I have virus scan's all over my Pc, but I didnt think that this virus could get through my Firewall, I was wrong (well half as I didnt open them).


So are these new one's or just delayed ?




blackwidow

Oh yeah, yesterday I had 5 virus emails with a .pif file attached to it.
Luckally my email provider blocks virus emails.
They are probably new...

I received this one this afternoon:

** deinternetman.net... virusscanner; powered by: f-prot.com... **

(English version below)

De server heeft een e-mail bericht onderschept en verwijderd welke een
virus bevatte. Onder kunt u ter informatie de berichtheaders vinden:

This server has intercepted and removed an e-mail message containing a
virus. For your information, the message headers are listed below:




Received: (qmail 11161 invoked from network); 3 Sep 2003 12:11:09 -0000
Received: from 210-54-66-98.dialup.xtra.co.nz (HELO WAYNE) (210.54.66.98)by hosted.by.deinternetman.nl with SMTP; 3 Sep 2003 12:11:09 -0000
From:
To:
Subject: Re: Approved
Date: Thu, 4 Sep 2003 0:11:01 +1200
X-MailScanner: Found to be clean
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/mixed;boundary="_NextPart_000_002827F7"

Content-Type: text/plain;charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

Content-Type: application/octet-stream;name="document_9446.pif"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;filename="document_9446.pif"

[Edited on 3-9-2003 by Zion Mainframe]

Thanks ZM at least I know now Im not the only person still getting the SoBig.f virus still!




blackwidow

Blackwidow,

Yeah, SoBig is still crawling around. Look like it'll continu like this for a while. Pisses us off, cuz we support computer networks, and some people still open attachement they shouldn't. Thanks to Norton, most computer don't get infected. But we still get called all the time for it.

Any one want to trade my punching bag for a virus writer?

Our in-house email server has been bombarded for the last week or two. We have scanned and quarantined over 10,000 instances of this virus. Luckily, our email infrastructure is able to handle this issue realitivly easily.

I have read reports that this virus has an "off" switch set to Sept. 10. I suppose we'll see another, more damaging variant after that.

m0rbid -

If you are using Outlook 2000 or above, there is a Office patch that will not allow Outlook access to executible files (through email) at the desktop level. This and a good AV scanner on the SMTP server should keep you relativly virus free.

Dr Know

Thanks for that, I dont think I've heard of the "of switch" before now! It will just stop like that ...... all of a sudden?




blackwidow

Originally posted by Dr. Know
m0rbid -

If you are using Outlook 2000 or above, there is a Office patch that will not allow Outlook access to executible files (through email) at the desktop level. This and a good AV scanner on the SMTP server should keep you relativly virus free.

Executable are not allowed (.exe) but I think .pif are. In anyways, anti-virus are installed on the server and stations, and effectivly block the virus that passes.
Plus, I made custom filter on the mail server for know 'email subject' used by SoBig (like "wicked screensaver", "that movie", etc etc..) so most of them are blocked from reaching the workstation.

Sobig is attacking my university even as I type this.
This is a malicious little brat, no?

Just your casual email worm, the problem is that the level of social engineering was a bit higher, so more people openned the attachement, so spreading happened more quickly. Blame human stupidity.