RE: Annoying virus being mailed to me

I was getting them also, so I just stopped them on our mail server. I just started blocking anything from @boss.com

I don't get them anymore.

good luck.

Ron

-----Original Message-----
From: Don Voss [mailto:voss@albany.edu]
Sent: Friday, February 07, 2003 12:14 PM To: Chris Carter; security-basics@securityfocus.com Subject: Re: Annoying virus being mailed to me

On 7 Feb 2003 at 10:54, Chris Carter wrote:

> Hi guys, For the last two months or so I have been receiving emails

Chris,

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Are you joking ?

Well maybe not .. so here is the scoop. This is just another mass-mailer virus/worm event. The reason the ip address changes is that other users are being infected .. then transmitting. Another factor is that [ as mentioned below], it will mail it self to all email addresses found in various document formats found on the infected machine.

So .. I get these .. we all probably got/get a few a day/week. Depends how long you have had your email address and what kind of organization you work for + your circle of contacts. Add it all up .. it is a numbers game.

So .. here at the university .. I've had this address and others for 16+ years .. multiple variants are still aliased to the current. I am in various documents across multiple departments, on campus web pages, in university charts, university staff address books, on and on.

These people take work home ...so a data file / address book with my email address may be there .. their children use the units .. they go to school and use a lab ..

I post in listserv groups for years .. people have mail archives / address books / htmlized versions of listserv material on their pcs .. now we are across national borders ..

So who is sending me stuff from big@boss.com .. who knows .. and who cares .. as long as its not from a unit I currently am responsible for .. right ?

I just delete and move on .. I personally would not spend a minute looking for virus generated email or commercial spam email .. I just filter and delete. It's a shame yes .. but not worth any effort to chase down at this time. Maybe when we have better laws regarding it .. and fines .. !! .. it would be worth keeping track of.

Do you need more help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

regards,

/don

Details stolen from symantec www site.
[start insert]
As of January 13, 2003, due to an increase in submissions, Symantec Security Response has upgraded this threat to a Category 3 from a Category 2.

The W32.Sobig.A@mm worm sends itself to all the addresses it finds in the .txt, .eml, .html, .htm, .dbx, and .wab files. The email message has the following characteristics:
From: big@boss.com
Subject: The subject will be one of these:

Re: Movies
Re: Sample
Re: Document
Re: Here is that sample

Attachment: The attachment will be one of these: Movie_0074.mpeg.pif
Document003.pif
Untitled1.pif
Sample.pif

Before W32.Sobig.A@mm sends the messages, it sends a message to an address at pagers.icq.com.

The worm also attempts to copy itself to the following folders on all the open network shares:
\Windows\All Users\Start Menu\Programs\StartUp Documents and Settings\All Users\Start Menu\Programs\Startup

Note: Symantec Security Response has received reports of W32.Sobig.A@mm downloading and installing the Backdoor Trojan, Backdoor.Lala.

Can we help you?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

Also Known As: W32/Sobig [McAfee], WORM_SOBIG.A [Trend], W32/Sobig-A [Sophos]
Type: Worm
Infection Length: 65,536 bytes
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP, Windows Me
Systems Not Affected: Macintosh, OS/2, UNIX, Linux

The above text stolen from :
http://www.symantec.com/avcenter/venc/data/w32.sobig.a@mm.html

[end insert]

>
>
>

Don Voss                                      voss@albany.edu

"No matter how cynical you get, it is impossible to keep up." - Lilly Tomlin Received on Mon Feb 10 13:02:37 2003