Worst Virus Ever Slams the Web

[GT Web]

http://g.msn.com/CA2/8_3077_5M


yikes!!!

 

[Jack Gordon]

total ****ing insanity

I'd like to get my hands on this prick and teach him all about inconvenience

 

[Nexus]

Let me repost this here for people:
---------------------------------
Definitely read up on the viral worm called SoBig:
http://www.f-secure.com/v-descs/sobig_f.shtml

If you're like me, you've been getting a bevvy of e-mails lately from this horror. Some highlights:

Sobig sends massive amounts of mail. The sender information of these mails is wrong and doesn't indicate the real infected user. The attachment has a size of around 70KB and it's packed with TELock. It has its own SMTP engine, apart from routines to query directly DNS servers and make requests using the Network Time Protocol.

The worm usually arrives in e-mails with the following characteristics:
From:
The 'From:' field is filled with an address found from the infected system. If no address is found, it will use "[email protected]"

To:
The 'To:' field is filled with an address found from the infected system.

Subject, any from the list:

• Re: Thank you!
• Thank you!
• Your details
• Re: Details
• Re: Re: My details
• Re: Approved
• Re: Your application
• Re: Wicked screensaver
• Re: That movie

Body, it chooses one from the two following lines:
See the attached file for details
Please see the attached file for details.

Attachment names can be any from:

• your_document.pif
• document_all.pif
• thank_you.pif
• your_details.pif
• details.pif
• document_9446.pif
• application.pif
• wicked_scr.scr
• movie0045.pif

I was getting several e-mails from myself, and a thorough check revealed that none of the machines I work from had been infected. In fact, the IP addresses generating the e-mails were from a completely different area of the US.

For example, if you view the "HEADERS" on an e-mail message (in Outlook Express, just "get properties" on the message and click the "View Source" button) you will see information about how the message was transmitted. You can see what's called the IP address of the sender here:
--------------------------------
Return-Path: <[email protected]>
Received: from [MY SERVER ADDRESS] (root@localhost)
by [MY DOMAIN NAME] (8.11.6/8.11.6) with ESMTP id h7KEPj113307
for <[email protected]>; Wed, 20 Aug 2003 10:25:45 -0400
X-ClientAddr: 146.145.108.108 <<<<--- THIS IS THE IP ADDRESS SENDING IT
Received: from TERRIH ([146.145.108.108])
by [MY SERVER ADDRESS] (8.11.6/8.11.6) with SMTP id h7KEPbv13295
for <[email protected]>; Wed, 20 Aug 2003 10:25:37 -0400
Message-Id: <200308201425.h7KEPbv13295@[MY SERVER ADDRESS]>
From: <[email protected]> <<<<--- FORGED E-MAIL ADDRESS
To: <[email protected]>
Subject: Your details
Date: Wed, 20 Aug 2003 9:31:23 --0400
X-MailScanner: Found to be clean
--------------------------------

I immediately blocked messages from these IP address on the server level, and the mail immediately stopped (there were only 2 or 3 IP addresses that sent out mountains of these). I'm still getting "bounce-backs" however from e-mail boxes that the virus was trying to contacting pretending to be one of MY e-mail addresses (which it must have gotten from someone I knew, or from the browser cache of someone who browsed to one of my websites). How about that, huh? Not a THING I can do about it (except attempt to contact the IP block owner, though the numbers have been disconntected...) Some of these bounce-backs, thankfully, are from Virus Scanning programs confirming that this falsified e-mails had the virus in them.

Read on f-secure, you can see the disturning "bigger picture" going on here, as these virus' are set to auto-destruct after a certain window of time.

[size=1]
 Variant         Found           Expires         Detection
__________________________________________________
 Sobig.A         January 9th     NO              2003-01-09
 Sobig.B         May 18th        May 31st        2003-05-19
 Sobig.C         May 31st        June 8th        2003-06-01
 Sobig.D         June 18th       July 2nd        2003-06-18
 Sobig.E         June 25th       July 14th       2003-06-26
 Sobig.F         August 1th     Sept 10th      2003-08-01
__________________________________________________
[/size]

You get the distinct impression that the author(s) are running a series of tests, steadily modifying and updating this monster into something truly unthinkable.

I truly wish that the DNS would just run a check to see if the mail came from my mail server's IP address, before sending it on. At least mark it as suspicious. Its disgusting.

Companies I've been working with (including my own) have been losing a LOT of time to this beast (amongst others).
---------------------------------
~ Nexus

 

[pam]

I received more than 5,000 in 2 days. It's definitely the worst outbreak I've ever seen. Every 10 minutes or so I'd receive 10-40, and most were from 6 ISPs, and having read more, I found out the virus sends out in 10-minute increments and keeps resending to those in the address book.

Oddly enough, at 10 am today it stopped and I've not received a single virus since then. My filters didn't work yesterday; maybe they needed a day off

 

[.biz]

I'm going to miss a lot of domain renewal notification emails because these virus always filled my yahoo mail boxes.

and yahoo doesn't take action to reject this kinds of mail. The mail filter function wouldn't work either because it's only filtered by receipient name.

 

[Nexus]

Just everyone thank their lucky stars they didn't own Internet.com, and use it as a mail service.
From F---edCompany.com:

Big
So in one incarnation of the SoBig.F Worm (you know, those email attachments you've been getting the past few days from all your friends), the return-address is "[email protected]" -- floodding Jupiter MediaMetrix's Internet.com email servers with billions of bounce backs and replies...
When: 8/22/2003
Company: Internet.com
Severity: 40
Points: 138

::: Blink :::

~ Nexus

 

[Mr Webname]

Some interesting background information:-

http://www.globalsecurity.org/org/news/2003/030823-sobig-virus01.htm

 

[DotLeader]

this virus has been around for months hasnt it and just now spiked up again

or there was one very simaler to it

 

[Mr Webname]

"Worm" viruses have been around for ages but I think the "Sobig" worm was only recent and with potential serious consequences. As it is much disruption was caused by the way it populated emails across the Internet, many people received hundreds, some thousands.

 

[.com.net.org]

I think yahoo has taken some actions about this virus.

Notice the announcement at your mail page.

 

[.biz]

Today's tip: VIRUS ALERT - W32.Sobig.F@mm is a mass-mailing, network-aware worm that sends itself to all the email addresses it finds in certain files on your PC. If you receive a message with an attachment with a .pif or .src extension, we strongly suggest you scan it before downloading. The message may appear to be from someone you know.

It's the quote from Yahoo!


This doesn't solve the virus problem. It's just a protective advice, and the virus still fills up my mailboxes every 30 minutes.

 

[Nexus]

The virus is reportedly pointing its sites at Time Warner now. A new strain has been detected with Time Warner's properties presumeably as an attack focus.

A recent internal memo from Dream Works Pictures:

Attention all Dreamworkers !

The SoBig virus outbreak is still very active on the Internet. In order to keep DW email accounts from filling up with quarantined emails, we have implemented a new filter on our email gateway.
This new filter will prevent the known variants of the SoBig virus from coming into our network. Below is a list of the subject lines that will be banned. Please be aware that any emails you send with similar subject lines will be undeliverable.

Subject:
Re: Details
Re: Approved
Re: Re: My details
Re: Thank you!
Re: That movie
Re: Wicked screensaver
Re: Your application
Thank you!
Your details

If you still receive emails with the above subject lines, please delete them. If you are unclear on any part of this email, please contact the Help Desk @ x-xxxx.

Thank You

IT Operations

Eesh. Doesn't get more basic than that.

~ Nexus

 

[Mr Webname]

Further information - arrest in "Blaster" virus case:-

http://msnbc.com/news/958852.asp?0cv=CB10&cp1=1#BODY

http://reuters.com/newsPhotoPresentation.jhtml?type=businessNews&imageID=1000685910

 

[Restecpa]

This was driving me crazy too, especially as I was getting like 200 of them every few hours. Like that was not enough, my AV on my PC kept informing me for each and every email it found infected which means I had to press OK about 200 times every few hours when I checked for new mail or even worse, up to 700 once when I forgot to check my mail overnight Luckily my AV detected them all, but it still takes a loooooot of time to confirm each and every of them + thzen delete them from your inbox once that AV removes those attacments from them. it was nothing but a waste of time, so I had to do something about it server wide..

If you own your own dedicated server, running Ensim, I suggest you to install a MailScanner (+ Clam AV) which will take care of that junk for good Cpanel server (I believe so) have this already instaled, you just have to enable it.

If you or anyone is interested, heres an easy HOW-TO by GPAN. Before you follow it, PM me for more info:

_________________________________________________

We have put together the following package which will install Mailscanner, Clam Antivirus and SpamAssassin on your Ensim 3.1, or Ensim Pro 3.5 server.

This package installs:
Mailscanner 4.22
Clam Antivirus 0.60
SpamAssassin 2.55


We have tested it on upgrades from 4.11 + Mailscanner versions without issues. If you have an older Mailscanner install, we would recommend uninstalling it first and deleting the /etc/MailScanner folder before running this package.

This package does not use f-prot as you need a commercial license for use in a business environment.

Installation:

1) Make sure you are su root (or -)

2) Download the appropriate installer to a folder on your server, then install it

Ensim Pro 3.5.x

wget http://download.cheetaweb.com/mailscanner-kit-3.5.0.tar.gz
tar -zxvf mailscanner-kit-3.5.0.tar.gz
cd mailscanner-kit-3.5.0
./mailscanner-clamav-spamassassin-3.5.0.sh

Ensim 3.1.x
wget http://download.cheetaweb.com/mailscanner-kit-0.2.72.tar.gz
tar -zxvf mailscanner-kit-0.2.72.tar.gz
cd mailscanner-kit-0.2
./mailscanner-ensim-0.2.sh

3) You will need to configure MailScanner as described

service sendmail stop
chkconfig --del sendmail
chkconfig --level 2345 MailScanner on
service MailScanner start

*NOTE 1* For Ensim 3.1 installs, this package requires that you be running a perl 5.6.0 environment.

*NOTE 2 * If your /home partition is mounted separately from /, you will need to change the the Incoming Queue to the following after installation, or Mailscanner will not run:

Incoming Queue Dir = /var/spool/mqueue.in

You will also need to edit /etc/cron.d/mqueuecron to run more frequently, i.e.

*/10 * * * * root /usr/lib/opcenter/virtualhosting/MailQueueCleaner

*NOTE 3* SpamAssassin is configured to only tag emails by default. You will need to reconfigure the delivery preferences in MailScanner.conf if you wish it to delete, bounce or otherwise remove the messages that have been tagged as spam.


__________________
Kudos to:
Geoffrey Pan, CISSP
www.cheetaweb.com

 

[Restecpa]

The scary part is, you wouldnt even know what it does until its too late..

QUOTE: "At noon, all computers worldwide that were infected with SoBig -- more than 100,000, according to Santa Clara antivirus firm Network Associates -- were to make contact with these 20 computers, where experts believe the worm was evidently destined to download more instructions. What those instructions would be, no one knew."