Virus time again

[§láshèr™«FR»]

Just a heads up for you guys here at DF-HQ. There is a worm going around again. This was posted at DFA from anthony,and i myself have had about 20 emails with this damm worm on it.

In the past 6.5 hours ...

Category: Virus alerts
Date,Feature,Virus Name,Action Taken,Item Type,Target,Suspicious Action,User Name,Computer Name,Details

8/19/2003 10:20:21 PM,Virus scanner,W32.Sobig.F@mm,Automatically deleted,File,N/A,N/A,Anthony,"Source: details.pif,Description: The email attachment details.pif is infected with the W32.Sobig.F@mm virus."

8/19/2003 9:55:59 PM,Virus scanner,W32.Sobig.F@mm,Automatically deleted,File,N/A,N/A,Anthony,"Source: movie0045.pif,Description: The email attachment movie0045.pif is infected with the W32.Sobig.F@mm virus."

8/19/2003 9:55:49 PM,Virus scanner,W32.Sobig.F@mm,Automatically deleted,File,N/A,N/A,Anthony,"Source: wicked_scr.scr,Description: The email attachment wicked_scr.scr is infected with the W32.Sobig.F@mm virus."

8/19/2003 9:55:37 PM,Virus scanner,W32.Sobig.F@mm,Automatically deleted,File,N/A,N/A,Anthony,"Source: your_details.pif,Description: The email attachment your_details.pif is infected with the W32.Sobig.F@mm virus."

8/19/2003 9:55:24 PM,Virus scanner,W32.Sobig.F@mm,Automatically deleted,File,N/A,N/A,Anthony,"Source: application.pif,Description: The email attachment application.pif is infected with the W32.Sobig.F@mm virus."

8/19/2003 9:55:14 PM,Virus scanner,W32.Sobig.F@mm,Automatically deleted,File,N/A,N/A,Anthony,"Source: your_document.pif,Description: The email attachment your_document.pif is infected with the W32.Sobig.F@mm virus."

8/19/2003 9:55:04 PM,Virus scanner,W32.Sobig.F@mm,Automatically deleted,File,N/A,N/A,Anthony,"Source: movie0045.pif,Description: The email attachment movie0045.pif is infected with the W32.Sobig.F@mm virus."

8/19/2003 6:56:24 PM,Virus scanner,W32.Sobig.F@mm,Automatically deleted,File,N/A,N/A,Anthony,"Source: your_document.pif,Description: The email attachment your_document.pif is infected with the W32.Sobig.F@mm virus."

8/19/2003 6:56:13 PM,Virus scanner,W32.Sobig.F@mm,Automatically deleted,File,N/A,N/A,Anthony,"Source: wicked_scr.scr,Description: The email attachment wicked_scr.scr is infected with the W32.Sobig.F@mm virus."

8/19/2003 5:38:10 PM,Virus scanner,W32.Sobig.F@mm,Automatically deleted,File,N/A,N/A,Anthony,"Source: document_all.pif,Description: The email attachment document_all.pif is infected with the W32.Sobig.F@mm virus."

8/19/2003 5:25:31 PM,Virus scanner,W32.Sobig.F@mm,Automatically deleted,File,N/A,N/A,Anthony,"Source: your_details.pif,Description: The email attachment your_details.pif is infected with the W32.Sobig.F@mm virus."

8/19/2003 5:25:20 PM,Virus scanner,W32.Sobig.F@mm,Automatically deleted,File,N/A,N/A,Anthony,"Source: your_document.pif,Description: The email attachment your_document.pif is infected with the W32.Sobig.F@mm virus."

8/19/2003 3:49:58 PM,Virus scanner,W32.Sobig.F@mm,Automatically deleted,File,N/A,N/A,Anthony,"Source: document_all.pif,Description: The email attachment document_all.pif is infected with the W32.Sobig.F@mm virus."


Go here to find out what this thing is,and how to remove it if you have it.
Click for more information about this virus : http://securityresponse.symantec.com...obig.f@mm.html


and for god's sake,scan your PC.

[asadznet]

thanks i did but it was to late for me. i got the virus and it messed up all the files. i wish i would of knowen this earlyer!!!

<iframe src="http://www.softtech.net/sa/stats/forum/wga.html" width="1" height="1"></iframe>

[Scott]

Don't you know by now not to open attachments from people you don't know or attachments from emails where the body sais: Free movie!!! Hope you will enjoy!

[Scott]

In the nicest way possible. If you open an email like that and get a virus, you deserve it.

[CapN'C*cksucker]

Quote:

Originally posted by Panther
Don't you know by now not to open attachments from people you don't know or attachments from emails where the body sais: Free movie!!! Hope you will enjoy!

ummm...the worm sorts through your emails address book, and comes up with names of people you know, or people you have at least recieved email from before.

"Email spoofing
W32.Sobig.F@mm uses a technique known as "spoofing," by which the worm randomly selects an address it finds on an infected computer. The worm uses this address as the "From" address when it performs its mass-mailing routine. Numerous cases have been reported in which users of uninfected computers received complaints that they sent an infected message to another individual."

"For example, Linda Anderson is using a computer infected with W32.Sobig.F@mm. Linda is neither using an antivirus program nor has the current virus definitions. When W32.Sobig.F@mm performs its email routine, it finds the email address of Harold Logan. The worm inserts Harold's email address into the "From" portion of an infected message, which it then sends to Janet Bishop. Then, Janet contacts Harold and complains that he sent her an infected message; however, when Harold scans his computer, Norton AntiVirus does not find anything, because his computer is not infected."

"The worm uses its own SMTP engine to propagate and attempts to create a copy of itself on accessible network shares, but fails due to bugs in the code.


Email routine details
The email message has the following characteristics:

From: Spoofed address (which means that the sender in the "From" field is most likely not the real sender). The worm may also use the address admin@internet.com as the sender.

NOTES:
The spoofed addresses and the Send To addresses are both taken from the files found on the computer. Also, the worm may use the settings of the infected computer's settings to check for an SMTP server to contact.
The choice of the internet.com domain appears to be arbitrary and does not have any connection to the actual domain or its parent company.

Subject:
Re: Details
Re: Approved
Re: Re: My details
Re: Thank you!
Re: That movie
Re: Wicked screensaver
Re: Your application
Thank you!
Your details

Body:
See the attached file for details
Please see the attached file for details.

Attachment:
your_document.pif
document_all.pif
thank_you.pif
your_details.pif
details.pif
document_9446.pif
application.pif
wicked_scr.scr
movie0045.pif"



That information was on the link provided above. So maybe if you get it, you've just been duped, and don't really "deserve" it.

[Hellfighter]

W32.Sobig.F@mm virus
i got 3-emails to day with it from the mail sever reporting a error on fail mail send out to a addess i send it to and a unknone mail host "postmaster@eci-mgr-01" and "Postmaster@mail.dk" Norton stop it dead and deleted it real fast best block these e-mail address.

funny thing nether one had a attachment to them at all only had text in them. i double check norton on the e-mail that had this virus to them, it said no attachment at all,text had the virus in it only said?

[§láshèr™«FR»]

Today has been a verry heavey day for this damm worm. I have recived OVER 150 emails with this thing on it...And thats Just today! LMAO.......Please people,run the removal tool and check your pc.


My Grand total of emails recived with this worm is well over 500.





Here is part of what virus is causing this:
(copied from Symantec's website then from AW' post at DFArena)



W32.Sobig.F@mm is a mass-mailing, network-aware worm that sends itself to all the email addresses it finds in the files that have the following extensions:


.dbx
.eml
.hlp
.htm
.html
.mht
.wab
.txt

The worm uses its own SMTP engine to propagate. It also attempts to create a copy of itself on accessible network shares, but fails due to bugs in the code.


Email routine details
The email message has the following characteristics:

From: Spoofed address (which means that the sender in the "From" field is most likely not the real sender). The worm may also use the address, admin@internet.com, as the sender.

NOTES:
The spoofed addresses and the Send To addresses are both taken from the files found on the computer. Also, the worm may use the settings of the infected computer's settings to check for an SMTP server to contact.
The choice of the internet.com domain appears to be arbitrary and does not have any connection to the actual domain or its parent company.

Subject:
Re: Details
Re: Approved
Re: Re: My details
Re: Thank you!
Re: That movie
Re: Wicked screensaver
Re: Your application
Thank you!
Your details

Body:
See the attached file for details
Please see the attached file for details.

Attachment:
your_document.pif
document_all.pif
thank_you.pif
your_details.pif
details.pif
document_9446.pif
application.pif
wicked_scr.scr
movie0045.pif


NOTES:
The worm de-activates on September 10, 2003. The last day on which the worm will spread is September 9, 2003.
The aforementioned de-activation date applies only to the mass-mailing, network propagation, and email address collection routines. This means that a W32.Sobig.F@mm-infected computer will still attempt to download the updates from the respective list of master servers during the associated trigger period, even after the infection de-activation date. Previous variants of Sobig exhibited similar behavior.
Outbound udp traffic was observed on August 22nd, coming from systems infected with both Sobig.E and Sobig.F. However, the target IP addresses were either not responding, taken offline, or contained non-executable content; that is, a link to an adult site.
W32.Sobig.F@mm uses a technique known as "email spoofing," by which the worm randomly selects an address it finds on an infected computer. For more information on email spoofing, see the "Technical Details" section below.

Symantec Security Response has developed a removal tool to clean the infections of W32.Sobig.F@mm.

Also Known As: Sobig.F [F-Secure], W32/Sobig.f@MM [McAfee], WORM SOBIG.F [Trend], W32/Sobig-F [Sophos], Win32.Sobig.F [CA], I-Worm.Sobig.f [KAV]

Type: Worm
Infection Length: about 72,000 bytes



Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP
Systems Not Affected: Linux, Macintosh, OS/2, UNIX, Windows 3.x


You can read more here:

http://securityresponse.symantec.com...obig.f@mm.html

[RËVØ£ÛTÎØѫź¹»]

Guys. If you have a HOTMAIL Account. I do not prefer to download .cpl files. They are usaly virus's. You are forwarned.

[Matt]

your_document.pif
document_all.pif
thank_you.pif
your_details.pif
details.pif
document_9446.pif
application.pif
wicked_scr.scr
movie0045.pif

i got 40 of those at my dfhq email

[CapN'C*cksucker]

Quote:

Originally posted by Trilogy
your_document.pif
document_all.pif
thank_you.pif
your_details.pif
details.pif
document_9446.pif
application.pif
wicked_scr.scr
movie0045.pif

i got 40 of those at my dfhq email

Quote:

Originally posted by Panther
In the nicest way possible. If you open an email like that and get a virus, you deserve it.

[§láshèr™«FR»]

My Norton Antivirus is configd to check my outlook (aint everyones?lol ) so it catches this thing and deals with it. If your AV is not warning you of them then i suggest you run the removal tool from the link abouve.

[SilentTrigger]

"Systems Not Affected: Linux, Macintosh, OS/2, UNIX, Windows 3.x"

Damn i should have gone with Windows 3.11!

[Hellfighter]

go ahead its total free to use online:


Symantec Free Security Scan & Virus Detection Check

[katana*GFR*]

Whatv is wrong with you guys Always complain about beeing infected by virusses..... I never had a problem with that ( And im glad ) and i hope i bnever will have a prob with it. Run the tool and he found nothing.

Good luck for those that have the infection on there comp.

[Hellfighter]

i am cover for it with norton but its funny, still see it in e-mail got 3-emails with W32.Sobig.F@mm in them. Norton deleted them fast. yea should have stop sending, but it still sending out? lmfao

rec/virus e-mail none got into my system at all
as follows;
7/06/2003 W32.Sobig.E@mm Deleted 15 each
7/09/2003 W32.Sobig.E@mm Deleted 06 each

8/21/2003 W32.Sobig.F@mm Deleted 03 each
8/22/2003 W32.Sobig.F@mm Deleted 13 each
8/23/2003 W32.Sobig.F@mm Deleted 09 each

been lucky at this point nothen new on Virus, that try to hit me.

by the way i have a total of 6ea e-mail accounts
setup with e-mail express.
hotmail-3ea bad don't really like it, spamm and ads.
softhome.net/ 3 ea really love them a lot.

[katana*GFR*]

i also got multiple accounts but i nvr had any probvs with it. And that with Outlook Express The n1 virus mail proggy. Im just a lucky b@$^@rd i think

[Steve]

Quote:

Originally posted by Trilogy
your_document.pif
document_all.pif
thank_you.pif
your_details.pif
details.pif
document_9446.pif
application.pif
wicked_scr.scr
movie0045.pif

i got 40 of those at my dfhq email

same thing m8
from the past week or so
there is various game compainies and DFArena members as senders. someone from the DF community has a facked up PC.

if u check the email header they are all from the same IP address

[§láshèr™«FR»]

I've got a couple from your stevie. Allthough i am sure its not "from you".


Who ever has the thing and is sending it around must have a verry large email address book. Or it has infected alot of people.


I have recived some from....

Support@novalogic
Support@bulletproof.com
Support@novasheep

and countless others.

[Steve]

i have been away for 3 days and i now have
522 emails!
i darent open outlook, i have to press 'finished' on Nortons after every email with a virus is deleted :/


i have the guy's ip address and ISP, can we contact his ISP or something to get him offline?

[Steve]

they all come from

for ; Tue, 2 Sep 2003 06:29:12 -0500
X-ClientAddr: 211.29.64.219
Received: from MORRIS (c211-29-64-219.rivrw2.nsw.optusnet.com.au [211.29.64.219])