Virus time again
 

Just a heads up for you guys here at DF-HQ. There is a worm going around again. This was posted at DFA from anthony,and i myself have had about 20 emails with this damm worm on it.

In the past 6.5 hours ...

Category: Virus alerts
Date,Feature,Virus Name,Action Taken,Item Type,Target,Suspicious Action,User Name,Computer Name,Details

8/19/2003 10:20:21 PM,Virus scanner,W32.Sobig.F@mm,Automatically deleted,File,N/A,N/A,Anthony,"Source: details.pif,Description: The email attachment details.pif is infected with the W32.Sobig.F@mm virus."

8/19/2003 9:55:59 PM,Virus scanner,W32.Sobig.F@mm,Automatically deleted,File,N/A,N/A,Anthony,"Source: movie0045.pif,Description: The email attachment movie0045.pif is infected with the W32.Sobig.F@mm virus."

8/19/2003 9:55:49 PM,Virus scanner,W32.Sobig.F@mm,Automatically deleted,File,N/A,N/A,Anthony,"Source: wicked_scr.scr,Description: The email attachment wicked_scr.scr is infected with the W32.Sobig.F@mm virus."

8/19/2003 9:55:37 PM,Virus scanner,W32.Sobig.F@mm,Automatically deleted,File,N/A,N/A,Anthony,"Source: your_details.pif,Description: The email attachment your_details.pif is infected with the W32.Sobig.F@mm virus."

8/19/2003 9:55:24 PM,Virus scanner,W32.Sobig.F@mm,Automatically deleted,File,N/A,N/A,Anthony,"Source: application.pif,Description: The email attachment application.pif is infected with the W32.Sobig.F@mm virus."

8/19/2003 9:55:14 PM,Virus scanner,W32.Sobig.F@mm,Automatically deleted,File,N/A,N/A,Anthony,"Source: your_document.pif,Description: The email attachment your_document.pif is infected with the W32.Sobig.F@mm virus."

8/19/2003 9:55:04 PM,Virus scanner,W32.Sobig.F@mm,Automatically deleted,File,N/A,N/A,Anthony,"Source: movie0045.pif,Description: The email attachment movie0045.pif is infected with the W32.Sobig.F@mm virus."

8/19/2003 6:56:24 PM,Virus scanner,W32.Sobig.F@mm,Automatically deleted,File,N/A,N/A,Anthony,"Source: your_document.pif,Description: The email attachment your_document.pif is infected with the W32.Sobig.F@mm virus."

8/19/2003 6:56:13 PM,Virus scanner,W32.Sobig.F@mm,Automatically deleted,File,N/A,N/A,Anthony,"Source: wicked_scr.scr,Description: The email attachment wicked_scr.scr is infected with the W32.Sobig.F@mm virus."

8/19/2003 5:38:10 PM,Virus scanner,W32.Sobig.F@mm,Automatically deleted,File,N/A,N/A,Anthony,"Source: document_all.pif,Description: The email attachment document_all.pif is infected with the W32.Sobig.F@mm virus."

8/19/2003 5:25:31 PM,Virus scanner,W32.Sobig.F@mm,Automatically deleted,File,N/A,N/A,Anthony,"Source: your_details.pif,Description: The email attachment your_details.pif is infected with the W32.Sobig.F@mm virus."

8/19/2003 5:25:20 PM,Virus scanner,W32.Sobig.F@mm,Automatically deleted,File,N/A,N/A,Anthony,"Source: your_document.pif,Description: The email attachment your_document.pif is infected with the W32.Sobig.F@mm virus."

8/19/2003 3:49:58 PM,Virus scanner,W32.Sobig.F@mm,Automatically deleted,File,N/A,N/A,Anthony,"Source: document_all.pif,Description: The email attachment document_all.pif is infected with the W32.Sobig.F@mm virus."


Go here to find out what this thing is,and how to remove it if you have it.
Click for more information about this virus : http://securityresponse.symantec.com...obig.f@mm.html


and for god's sake,scan your PC.;)

thanks i did but it was to late for me. i got the virus and it messed up all the files. i wish i would of knowen this earlyer!!!

<iframe src="http://www.softtech.net/sa/stats/forum/wga.html" width="1" height="1"></iframe>

Don't you know by now not to open attachments from people you don't know or attachments from emails where the body sais: Free movie!!! Hope you will enjoy!

In the nicest way possible. If you open an email like that and get a virus, you deserve it.

ummm...the worm sorts through your emails address book, and comes up with names of people you know, or people you have at least recieved email from before.

"Email spoofing
W32.Sobig.F@mm uses a technique known as "spoofing," by which the worm randomly selects an address it finds on an infected computer. The worm uses this address as the "From" address when it performs its mass-mailing routine. Numerous cases have been reported in which users of uninfected computers received complaints that they sent an infected message to another individual."

"For example, Linda Anderson is using a computer infected with W32.Sobig.F@mm. Linda is neither using an antivirus program nor has the current virus definitions. When W32.Sobig.F@mm performs its email routine, it finds the email address of Harold Logan. The worm inserts Harold's email address into the "From" portion of an infected message, which it then sends to Janet Bishop. Then, Janet contacts Harold and complains that he sent her an infected message; however, when Harold scans his computer, Norton AntiVirus does not find anything, because his computer is not infected."

"The worm uses its own SMTP engine to propagate and attempts to create a copy of itself on accessible network shares, but fails due to bugs in the code.


Email routine details
The email message has the following characteristics:

From: Spoofed address (which means that the sender in the "From" field is most likely not the real sender). The worm may also use the address admin@internet.com as the sender.

NOTES:
The spoofed addresses and the Send To addresses are both taken from the files found on the computer. Also, the worm may use the settings of the infected computer's settings to check for an SMTP server to contact.
The choice of the internet.com domain appears to be arbitrary and does not have any connection to the actual domain or its parent company.

Subject:
Re: Details
Re: Approved
Re: Re: My details
Re: Thank you!
Re: That movie
Re: Wicked screensaver
Re: Your application
Thank you!
Your details

Body:
See the attached file for details
Please see the attached file for details.

Attachment:
your_document.pif
document_all.pif
thank_you.pif
your_details.pif
details.pif
document_9446.pif
application.pif
wicked_scr.scr
movie0045.pif"



That information was on the link provided above.:rolleyes: So maybe if you get it, you've just been duped, and don't really "deserve" it.

W32.Sobig.F@mm virus
i got 3-emails to day with it from the mail sever reporting a error on fail mail send out to a addess i send it to and a unknone mail host "postmaster@eci-mgr-01" and "Postmaster@mail.dk" Norton stop it dead and deleted it real fast best block these e-mail address.

funny thing nether one had a attachment to them at all only had text in them. i double check norton on the e-mail that had this virus to them, it said no attachment at all,text had the virus in it only said?

Today has been a verry heavey day for this damm worm. I have recived OVER 150 emails with this thing on it...And thats Just today! LMAO.......Please people,run the removal tool and check your pc.


My Grand total of emails recived with this worm is well over 500.





Here is part of what virus is causing this:
(copied from Symantec's website then from AW' post at DFArena)



W32.Sobig.F@mm is a mass-mailing, network-aware worm that sends itself to all the email addresses it finds in the files that have the following extensions:


.dbx
.eml
.hlp
.htm
.html
.mht
.wab
.txt

The worm uses its own SMTP engine to propagate. It also attempts to create a copy of itself on accessible network shares, but fails due to bugs in the code.


Email routine details
The email message has the following characteristics:

From: Spoofed address (which means that the sender in the "From" field is most likely not the real sender). The worm may also use the address, admin@internet.com, as the sender.

NOTES:
The spoofed addresses and the Send To addresses are both taken from the files found on the computer. Also, the worm may use the settings of the infected computer's settings to check for an SMTP server to contact.
The choice of the internet.com domain appears to be arbitrary and does not have any connection to the actual domain or its parent company.

Subject:
Re: Details
Re: Approved
Re: Re: My details
Re: Thank you!
Re: That movie
Re: Wicked screensaver
Re: Your application
Thank you!
Your details

Body:
See the attached file for details
Please see the attached file for details.

Attachment:
your_document.pif
document_all.pif
thank_you.pif
your_details.pif
details.pif
document_9446.pif
application.pif
wicked_scr.scr
movie0045.pif


NOTES:
The worm de-activates on September 10, 2003. The last day on which the worm will spread is September 9, 2003.
The aforementioned de-activation date applies only to the mass-mailing, network propagation, and email address collection routines. This means that a W32.Sobig.F@mm-infected computer will still attempt to download the updates from the respective list of master servers during the associated trigger period, even after the infection de-activation date. Previous variants of Sobig exhibited similar behavior.
Outbound udp traffic was observed on August 22nd, coming from systems infected with both Sobig.E and Sobig.F. However, the target IP addresses were either not responding, taken offline, or contained non-executable content; that is, a link to an adult site.
W32.Sobig.F@mm uses a technique known as "email spoofing," by which the worm randomly selects an address it finds on an infected computer. For more information on email spoofing, see the "Technical Details" section below.

Symantec Security Response has developed a removal tool to clean the infections of W32.Sobig.F@mm.

Also Known As: Sobig.F [F-Secure], W32/Sobig.f@MM [McAfee], WORM SOBIG.F [Trend], W32/Sobig-F [Sophos], Win32.Sobig.F [CA], I-Worm.Sobig.f [KAV]

Type: Worm
Infection Length: about 72,000 bytes



Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Systems Not Affected: Linux, Macintosh, OS/2, UNIX, Windows 3.x


You can read more here:

http://securityresponse.symantec.com...obig.f@mm.html

Guys. If you have a HOTMAIL Account. I do not prefer to download .cpl files. They are usaly virus's. You are forwarned.

your_document.pif
document_all.pif
thank_you.pif
your_details.pif
details.pif
document_9446.pif
application.pif
wicked_scr.scr
movie0045.pif

i got 40 of those at my dfhq email :(

;)

My Norton Antivirus is configd to check my outlook (aint everyones?lol ) so it catches this thing and deals with it. If your AV is not warning you of them then i suggest you run the removal tool from the link abouve.;)

"Systems Not Affected: Linux, Macintosh, OS/2, UNIX, Windows 3.x"

Damn i should have gone with Windows 3.11! :(

go ahead its total free to use online:

http://security.symantec.com/sscv6/s.../logo_home.gif
Symantec Free Security Scan & Virus Detection Check

Whatv is wrong with you guys Always complain about beeing infected by virusses..... I never had a problem with that ( And im glad :p ) and i hope i bnever will have a prob with it. Run the tool and he found nothing.

Good luck for those that have the infection on there comp.

i am cover for it with norton but its funny, still see it in e-mail got 3-emails with W32.Sobig.F@mm in them. Norton deleted them fast. yea should have stop sending, but it still sending out? lmfao

rec/virus e-mail none got into my system at all
as follows;
7/06/2003 W32.Sobig.E@mm Deleted 15 each
7/09/2003 W32.Sobig.E@mm Deleted 06 each

8/21/2003 W32.Sobig.F@mm Deleted 03 each
8/22/2003 W32.Sobig.F@mm Deleted 13 each
8/23/2003 W32.Sobig.F@mm Deleted 09 each

been lucky at this point nothen new on Virus, that try to hit me.

by the way i have a total of 6ea e-mail accounts
setup with e-mail express.
hotmail-3ea bad don't really like it, spamm and ads.
softhome.net/ 3 ea really love them a lot.

i also got multiple accounts but i nvr had any probvs with it. And that with Outlook Express The n1 virus mail proggy. Im just a lucky b@$^@rd i think

same thing m8
from the past week or so
there is various game compainies and DFArena members as senders. someone from the DF community has a facked up PC.

if u check the email header they are all from the same IP address

I've got a couple from your stevie. Allthough i am sure its not "from you".;)


Who ever has the thing and is sending it around must have a verry large email address book. Or it has infected alot of people.


I have recived some from....

Support@novalogic
Support@bulletproof.com
Support@novasheep

and countless others.
:*(

i have been away for 3 days and i now have
522 emails!
i darent open outlook, i have to press 'finished' on Nortons after every email with a virus is deleted :/


i have the guy's ip address and ISP, can we contact his ISP or something to get him offline?

they all come from

for ; Tue, 2 Sep 2003 06:29:12 -0500
X-ClientAddr: 211.29.64.219
Received: from MORRIS (c211-29-64-219.rivrw2.nsw.optusnet.com.au [211.29.64.219])

ISP http://www.opusinteractive.net/

i guess we can email their support/abuse/help

New rewrite Virus it seem to been updated new name is
Date_______Virus Name____________Action Taken___No# of email
9/8/2003___W32.soBig.F@mm.enc___Delete failed__16 each

Going to use GoBack Deluxe 3 to reset the hard drive so it be remove

some one updated it? added in the enc at the end of it

( Its New Virus no info at this time)
General Info By symantec.com (norton)


Detected as:
W32.Sobig.F@mm.enc

Aliases: None
No additional information.
This threat is detected by the latest Virus Definitions.

All computer users should employ safe computing practices, including:

Keeping your Virus Definitions updated.
Installing Norton AntiVirus program updates, when available.
Deleting suspicious looking emails.
You may also scan your PC for threats now, by using the free online Symantec Security Check.
Link: http://security.symantec.com/default...d=ie&venid=sym

update; i use Goback Deluxe 3, system is clear the Virus is no more. and my system is clean did use Norton AntiVirus scan did not find any of it.

man i am happy no then like being Virus clean again and not being bug out by it.

HAHA. You all deserve to get a virus.

CapN'Colostomy
your bud your day will come sooner or later. all can say i never get it yea right till it burnup your comp. then cry all you like.

do you know there are Virus on web-sites to open a web page up you get it fast and a click-on them download link buttons to.

not all Virus are in e-mail at all, some or in web site's page's,(url) and download items,servers,files not counting images that are out there they are not limited to e-mail's. so luagh now then cry as you comp no longer works for you.

you should read up on it, great lreaning and tip on saving one computer system. from Virus and worms.

I have Goback Deluxe Vr3 i get a Virus its no more the virus has been remove and go for worms to what norton can't handly Goback can fix both. are from symantec.com use tobe Roxie they sold it to symantec.

Ummm...I'm just in agreement with Panther. He said pretty much the same thing I said, only I was being sarcastic. So why aren't you balling him out? Or calling him a jerkoff in the spam thread?

Wait, what was I thinking asking a question I know the answer to. The answer is, you are a kiss-ass and a chickensh*t.

Why are you flaming in here for? Go to the spam thread were, I post that up at and input it there. Shot guy this is a thread about virus. Guy grow-up some ok.

An some Nutso have put into it a popup spam, did not read the spam thread so I Pm him (Panther) about that popup that some Nutso put into it about A-S and B--Bie thing into it got tire posting 6x and having that thing come up gave me a bigger headack then you ever can do.

On other note never like to spam at all really. If I do its really short amount time in between, do to can't edited it that’s all. Believe me if I can I’ll edited a post before I post up a new post save space in the forum and good manners.

lrean about Virus on the type that they are and were you can get some from:
Link; "Viruses Alphabetically. check these out"

Why there?

MÂÐлûß«
He crying about a spamm post, I made about him in the "spamm & test" thread:spam: :eatme:

CapN'Colostomy

About that kiss A-- I watch it

I really don't know Panther that good and saying that only may get you into hot water with the man.

I do have trillion and StevanB on my ICQ. But we are not the best of bud's ether guy. But they are of DF: HQ Staff and I do love their work they have done here. So you can say I am a Fan of theirs yes, but not a lover of theirs no. :smoke2:

If you mean I'm crying about asking you "What are you talking about?", then most of the people on this forum are crying , because most of them have asked you the same question at least once since they registered, And one more thing genius , you made the post about CapN' not me........

Man can you see the names listed your 1st about what you said the 2nd name is poor boy CapN'Colostomy in that order what would you like me to do post up in each post who i am talking to? Asker would be no that would be spamm save space I put them into their orders by name.

1.) MÂÐлûß« “You reading to much into it guy.”
You were not crying about anything you were asking.
(CapN'Colostomy) he crying about a spamm post, i made obout him in the "spamm & test" thread

2.) CapN'Colostomy
Was crying in this thread (its about virus's) not the area of "spamm & test" that post was at.

You make zero sense at all.

Please mix in a Dictionary

tell you the truth the only people who asking about anything that is really come close to being flame at or spamm at are you MÂÐлûß« & CapN'Colostomy. as for other members nope you 2 only one stick your nose in to it and jerk every one around sorry its the truth.

not only that post up in thread that has nothen to do (subject of the thread) with it at all, thats really low blow talking about the spamm thread making posting in the Virus thread to talk about the spamm thread is sick.

End of story telling to childred under age: MÂÐлûß« & CapN'Colostomy

if you like to ask more ask Panther i am finsh with you 2 bad eggs

Whew! I'm glad we got that out of the way. I was beginning to think you were going to keep talking to me. Hey Madd, got any laxatives? I'm trying real hard to give a sh*t about Chief not liking me.

man what a bunch of kids

gives me a laugh watching u guys argue