Sobig Virus (actually a worm) information
Moderators: Brad Walker, Tony Smith
-
- Site Admin
- Posts: 1489
- Joined: Fri Mar 07, 2003 9:33 pm
- Location: North Carolina, USA
- Contact:
Sobig Virus (actually a worm) information
Some background information about the worm that is making the rounds:
The most common one I'm getting (and I received 362 emails with this virus in the last 24 hours) is called W32.Sobig.F@mm. It is a mass mailing worm that sends itself to all email addresses it finds on a person's computer.
It "spoofs" the from field -- this means that it puts a random person's name in the from field of the email, so that it looks like it's coming from somewhere other than the infected computer. It gets the random from names from email addresses stored on the infected computer. These do not have to be email addresses in the person's address book, they could also be from any page the person has viewed, or from other files on the computer.
This situation is aggravated because a number of servers automatically send out emails to the person in the from field "warning" them that they may have a virus. Because the worm spoofs the from field, they probably don't have the virus, but they do get the unnecessary email and have one more thing to delete.
And the good news? First, this doesn't impact Apple computers. Second, Sobig deactivates on September 10, 2003. Just in time for Warm Glass Weekend.
There's more information about Sobig at: http://securityresponse.symantec.com/av ... .f@mm.html
The most common one I'm getting (and I received 362 emails with this virus in the last 24 hours) is called W32.Sobig.F@mm. It is a mass mailing worm that sends itself to all email addresses it finds on a person's computer.
It "spoofs" the from field -- this means that it puts a random person's name in the from field of the email, so that it looks like it's coming from somewhere other than the infected computer. It gets the random from names from email addresses stored on the infected computer. These do not have to be email addresses in the person's address book, they could also be from any page the person has viewed, or from other files on the computer.
This situation is aggravated because a number of servers automatically send out emails to the person in the from field "warning" them that they may have a virus. Because the worm spoofs the from field, they probably don't have the virus, but they do get the unnecessary email and have one more thing to delete.
And the good news? First, this doesn't impact Apple computers. Second, Sobig deactivates on September 10, 2003. Just in time for Warm Glass Weekend.
There's more information about Sobig at: http://securityresponse.symantec.com/av ... .f@mm.html
Last edited by Brad Walker on Wed Sep 24, 2003 2:16 pm, edited 1 time in total.
Thanks for the clear explanation. That would explain the randomly odd emails I have gotten over the past few days.
I have a Mac so I don't worry. But isn't another line of defense to drop out BillyGatesWare from your computer....or at least use a nonMicrosoft email program. Aren't all these worms etc. using ms as the gateway?
Carla, oops off the warm glass subject
I have a Mac so I don't worry. But isn't another line of defense to drop out BillyGatesWare from your computer....or at least use a nonMicrosoft email program. Aren't all these worms etc. using ms as the gateway?
Carla, oops off the warm glass subject
-
- Site Admin
- Posts: 1489
- Joined: Fri Mar 07, 2003 9:33 pm
- Location: North Carolina, USA
- Contact:
Yes, the SoBig virus (and most of these viruses) uses Microsoft products as a gateway. This one attacks computers that run Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP and doesn't attack computers running Linux, Macintosh, OS/2, UNIX, or Windows 3.x.
However, that's just who the virus infects, not who gets the emails carrying the virus. Anyone who gets emails can get emails that contain the virus, regardless of their particular software or brand of computer. And switching wouldn't stop the flood of emails (which is the bigger problem for someone with up-to-date virus protection software!).
Of course you could turn off your ability to receive emails. Then everyone would be perfectly safe.
However, that's just who the virus infects, not who gets the emails carrying the virus. Anyone who gets emails can get emails that contain the virus, regardless of their particular software or brand of computer. And switching wouldn't stop the flood of emails (which is the bigger problem for someone with up-to-date virus protection software!).
Of course you could turn off your ability to receive emails. Then everyone would be perfectly safe.
-
- Posts: 212
- Joined: Sun Mar 09, 2003 3:23 pm
- Location: Memphis, TN
- Contact:
I have a Mac, so don't have all these virus problems. But I am curious about how they get around. Don't you have to open an attachment for the virus to infiltrate your system? Or does just opening the email get you in trouble?
Lisa
Lisa
Lisa Allen
http://www.lisa-allen.com
Today's mighty oak is just yesterday's nut that held its ground.
http://www.lisa-allen.com
Today's mighty oak is just yesterday's nut that held its ground.
-
- Site Admin
- Posts: 1489
- Joined: Fri Mar 07, 2003 9:33 pm
- Location: North Carolina, USA
- Contact:
Yes, you must open the attachment in order for the virus to get onto the system. For anyone who has a current virus protection program, even opening an attachment won't be disastrous because the program (assuming it's turned on!) will catch it in time. But a lot of people don't have virus protection programs, so they can catch the virus just by opening the attachment (assuming a Windows based computer).
In my case, I have a firewall (two, actually) and a virus protection program, so there's no huge risk of infection, but the real problem is the number of emails I receive that have the virus. To put this in perspective, one in 17 emails sent around the world in the past week has been infected with this virus! The experts estimate it will slow emails by as much as 60%, so you may not get regular emails, too. And that's true of both Windows and Mac users.
In my case, I have a firewall (two, actually) and a virus protection program, so there's no huge risk of infection, but the real problem is the number of emails I receive that have the virus. To put this in perspective, one in 17 emails sent around the world in the past week has been infected with this virus! The experts estimate it will slow emails by as much as 60%, so you may not get regular emails, too. And that's true of both Windows and Mac users.
Just having a virus protection program will not help if you do not keep the virus definitions updated. Norton antivirus will automatically update for a year after purchase and then more time can be purchased. However, even the once a week is not always enough. I update my virus definitions from the Symantec website daily except on weekends when they do not update them. I have actually had a virus caught with a definition that was less than a week old. If I had not updated manually, I would have had to remove the virus from my machine. Now I have Norton Anti Virus set to automatically delete the message with the virus in it. If I miss something important, I do not care. I can go to a report and see the activity for any period of time.
Paula
Paula
-
- Posts: 344
- Joined: Sun Mar 09, 2003 4:06 pm
- Location: Helios Kiln Glass Studio - Austin
- Contact:
-
- Posts: 382
- Joined: Sun Mar 09, 2003 8:10 pm
- Location: Washington DC Metropolitan Area
- Contact:
SoBig slows down servers by flooding them with messages. More than anything it attacks networks. While the creators off SoBig and its variants may think it's funny (they embedded little messages for Bill Gates in some of them) It is not funny when the entire commuter rail syatem of DC has to shut down for a couple of days because the network that controls the rail switches (located in Jacksonville FL) is infected and shuts down. SoBig and its variants are having a huge impact on business by being a major nuisance. When our computer system was attacked at work (and the attack came from people at home dialing in to the network, so apparently they had insufficent virus protection at home) our entire IT staff worked 18 hour days five days straight, had to shut down email for 2 days and closed (temporarily) over 300 accounts that then had to be re-opened manually. SoBig is a big pain.
I think a big factor is what browser you use. In spite of my son's insistance, I've resisted switching from Netscape to Explorer for this very reason. I get attacked by very few of the worms and viruses that are designed to penetrate Explorer.Brad Walker wrote:Yes, the SoBig virus (and most of these viruses) uses Microsoft products as a gateway. This one attacks computers that run Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP and doesn't attack computers running Linux, Macintosh, OS/2, UNIX, or Windows 3.x.
However, that's just who the virus infects, not who gets the emails carrying the virus. Anyone who gets emails can get emails that contain the virus, regardless of their particular software or brand of computer. And switching wouldn't stop the flood of emails (which is the bigger problem for someone with up-to-date virus protection software!).
Of course you could turn off your ability to receive emails. Then everyone would be perfectly safe.
Paul
Paul Bush
Flying Fish Studio
Portland, Oregon
Flying Fish Studio
Portland, Oregon
-
- Site Admin
- Posts: 1489
- Joined: Fri Mar 07, 2003 9:33 pm
- Location: North Carolina, USA
- Contact:
I don't understand how the browser you're using is a factor, unless you meant the email program -- in which case I'd agree that using Netscape Communicator to retrieve emails may make infection less likely than using Outlook Express, for no other reason than because there are known security holes in OE (patches available, by the way).Paul Bush wrote:I think a big factor is what browser you use. In spite of my son's insistance, I've resisted switching from Netscape to Explorer for this very reason. I get attacked by very few of the worms and viruses that are designed to penetrate Explorer.
But I don't see how either the browser or the email program you use has anything to do with whether or not you receive an email with the virus attached. Emails come in independent of both the browser and the email program.
As I mentioned, the big headache to me isn't catching the virus -- I'm well protected there -- it's dealing with the volume of emails I receive that are carrying the virus. And that's a problem that's independent of what system and software I run.
-
- Posts: 36
- Joined: Mon Mar 10, 2003 9:17 pm
- Location: Toronto, Ontario Canada
This isn't really a pertinent post but I had a funny exchange with one of the lawyers at work today. He's currently connecting to the internet at home using high-speed phone connection and they are offering a virus-firewall service for something like $7.00 per month. He wanted to subscribe to the service but had trouble with the self-installation instructions so was calling for help. When he found out that we couldn't help him today he replied,
"Well, I guess I'll just have to go unprotected for another night".
I think I demonstrated considerable restraint in saying nothing in reply!
Pam
"Well, I guess I'll just have to go unprotected for another night".
I think I demonstrated considerable restraint in saying nothing in reply!
Pam
I let my MacAfee anti-virus expire...decided to switch to Norton and bought it two days ago. It sat on the counter until today. I got the nasty little bugger creepo virus today before I got Norton loaded...and I've spent the last several hours trying to down load the patch. Duh. I needed to get on another computer to download it since I kept on getting shut down.Paul Tarlow wrote:An additional FYI -- the "Blaster" worm that made the rounds over the past week or so did not require you to open an email attachment. A pc could be infected simply by being plugged into the internet if it wasn't behind a firewall.
- Paul
Paul is right. you do not need to open an attachment to get the virus as it comes into your life as an unattached, evil, ugly, nasty, aggravating troll. Save yourself from similar aggravation and keep your virus programs updated. They don't do any good sitting on the counter.
-
- Posts: 344
- Joined: Sun Mar 09, 2003 4:06 pm
- Location: Helios Kiln Glass Studio - Austin
- Contact:
Sorry to hear that Cynthia. Been there, done that, wasn't fun.
For anyone else who finds themself in a simillar mess, here's a link to instructions on how to clean up:
http://www.dell.com/us/en/gen/topics/se ... s_info.htm
simillar instructions are elsewhere on the web, including other PC vendors and Microsoft.
For what it is worth, they've identified the teenager who wrote this thing and an will probably be arresting him today.
- Paul
For anyone else who finds themself in a simillar mess, here's a link to instructions on how to clean up:
http://www.dell.com/us/en/gen/topics/se ... s_info.htm
simillar instructions are elsewhere on the web, including other PC vendors and Microsoft.
For what it is worth, they've identified the teenager who wrote this thing and an will probably be arresting him today.
- Paul
Thanks for understanding my frustrations Paul.Paul Tarlow wrote:...For what it is worth, they've identified the teenager who wrote this thing and an will probably be arresting him today.
- Paul
It's such a waste that someone smart enough to write that complex of a code isn't using his/her skills for better uses. When I was an adolescent I was busy playing junior scientist and exploring the differing effects of particular chemical compounds on the human psyche.
he didn't create it. like a lot of scriptkiddies, he copied another existing virus, modified it to be more destructive, and let it loose.
http://www.cnn.com/2003/TECH/internet/0 ... index.html
http://www.cnn.com/2003/TECH/internet/0 ... index.html
Last edited by charlie on Fri Aug 29, 2003 1:02 pm, edited 1 time in total.
-
- Posts: 730
- Joined: Mon Mar 10, 2003 2:22 pm
- Location: wanchese north carolina
- Contact:
-
- Posts: 169
- Joined: Mon Mar 10, 2003 11:55 am
- Location: Silver Spring, MD
- Contact: