Let me repost this here for people:
---------------------------------
Definitely read up on the viral worm called SoBig:
http://www.f-secure.com/v-descs/sobig_f.shtml
If you're like me, you've been getting a bevvy of e-mails lately from this horror. Some highlights:
Sobig sends massive amounts of mail. The sender information of these mails is wrong and doesn't indicate the real infected user. The attachment has a size of around 70KB and it's packed with TELock. It has its own SMTP engine, apart from routines to query directly DNS servers and make requests using the Network Time Protocol.
The worm usually arrives in e-mails with the following characteristics:
From:
The 'From:' field is filled with an address found from the infected system. If no address is found, it will use "
[email protected]"
To:
The 'To:' field is filled with an address found from the infected system.
Subject, any from the list:
- Re: Thank you!
- Thank you!
- Your details
- Re: Details
- Re: Re: My details
- Re: Approved
- Re: Your application
- Re: Wicked screensaver
- Re: That movie
Body, it chooses one from the two following lines:
See the attached file for details
Please see the attached file for details.
Attachment names can be any from:
- your_document.pif
- document_all.pif
- thank_you.pif
- your_details.pif
- details.pif
- document_9446.pif
- application.pif
- wicked_scr.scr
- movie0045.pif
I was getting several e-mails from myself, and a thorough check revealed that none of the machines I work from had been infected. In fact, the IP addresses generating the e-mails were from a completely different area of the US.
For example, if you view the "HEADERS" on an e-mail message (in Outlook Express, just "get properties" on the message and click the "View Source" button) you will see information about how the message was transmitted. You can see what's called the IP address of the sender here:
--------------------------------
Return-Path: <
[email protected]>
Received: from [MY SERVER ADDRESS] (root@localhost)
by [MY DOMAIN NAME] (8.11.6/8.11.6) with ESMTP id h7KEPj113307
for <
[email protected]>; Wed, 20 Aug 2003 10:25:45 -0400
X-ClientAddr: 146.145.108.108
<<<<--- THIS IS THE IP ADDRESS SENDING IT
Received: from TERRIH ([146.145.108.108])
by [MY SERVER ADDRESS] (8.11.6/8.11.6) with SMTP id h7KEPbv13295
for <
[email protected]>; Wed, 20 Aug 2003 10:25:37 -0400
Message-Id: <200308201425.h7KEPbv13295@[MY SERVER ADDRESS]>
From: <
[email protected]>
<<<<--- FORGED E-MAIL ADDRESS
To: <
[email protected]>
Subject: Your details
Date: Wed, 20 Aug 2003 9:31:23 --0400
X-MailScanner: Found to be clean
--------------------------------
I immediately blocked messages from these IP address on the server level, and the mail immediately stopped (there were only 2 or 3 IP addresses that sent out mountains of these). I'm still getting "bounce-backs" however from e-mail boxes that the virus was trying to contacting pretending to be one of MY e-mail addresses (which it must have gotten from someone I knew, or from the browser cache of someone who browsed to one of my websites). How about that, huh? Not a THING I can do about it (except attempt to contact the IP block owner, though the numbers have been disconntected...) Some of these bounce-backs, thankfully, are from Virus Scanning programs confirming that this falsified e-mails had the virus in them.
Read on f-secure, you can see the disturning "bigger picture" going on here, as these virus' are set to auto-destruct after a certain window of time.
Code:
[size=1]
Variant Found Expires Detection
__________________________________________________
Sobig.A January 9th NO 2003-01-09
Sobig.B May 18th May 31st 2003-05-19
Sobig.C May 31st June 8th 2003-06-01
Sobig.D June 18th July 2nd 2003-06-18
Sobig.E June 25th July 14th 2003-06-26
Sobig.F August 1th Sept 10th 2003-08-01
__________________________________________________
[/size]
You get the distinct impression that the author(s) are running a series of tests, steadily modifying and updating this monster into something truly unthinkable.
I truly wish that the DNS would just run a check to see if the mail came from my mail server's IP address, before sending it on. At least mark it as suspicious. Its disgusting.
Companies I've been working with (including my own) have been losing a LOT of time to this beast (amongst others).
---------------------------------
~ Nexus