[TriLUG] Re: [lug] N00b: Security Warning Fun

Mike Norwood norwoodm at earthlink.net
Tue Aug 19 15:43:16 EDT 2003


It sounds like the following:

On Tue, 19 Aug 2003, Ryan Wheaton wrote:

> I've noticed an unsual high amount of spam coming through as well.  Some 
> with this subject, some with others, but all with a .pif attachment.  My 
> firewall filters out .pif's so i'm not too concerned, but it's driving my 
> users crazy (sometimes, emails come once a minute or so).  Anyone else seen 
> this or have an explanation??
> 

New virus alert: W32/Sobig.F-mm

Warning: dangerous new variant of "Sobig" family spreading

On 18th August 2003, MessageLabs the email security company intercepted
several copies of a mass-mailing virus which were identified as
W32/Sobig.F-mm.  The initial copies all originated from the United
States. 

    Name:  W32/Sobig.F-mm
    Number of copies intercepted so far:  1,124 (increasing rapidly)
    Time & Date first Captured:  18 Aug 2003 21:04 GMT
    Origin of first intercepted copy:  United States
    Most active country:  United States (95%), Denmark (3%), Norway (1%)

Characteristics
Initial analysis would suggest that Sobig.F is a mass-emailing virus
that is spreading very vigorously.  Sobig.F appears to be polymorphic in
nature and the email from: address is also spoofed and may not indicate
the true identity of the sender.  In earlier versions of the Sobig
family, the file extension has sometimes been truncated.  MessageLabs
have not yet observed this with the Sobig.F strain.

The email may also comprise the following characteristics: 
    Subject: Re: Details
    Text:
        Please see the attached file for details.

    Attachment names may include: your_document.pif, details.pif,
your_details.pif, thank_you.pif, movie0045.pif, document_Fall.pif,
application.pif, document_9446.pif  

In an attempt to bypass local antivirus security, the file size varies
on each generation reminiscent of Yaha by appending rubbish to the end
of the file, but is on average around 74kb in size.  The initial copies
are packed using TELock, but there may be other variants in the wild
packed using different packers.

Mike Norwood





More information about the TriLUG mailing list