Warning of new Virus

Thomas C. Weedon weedon at wwnet.net
Wed Aug 20 00:20:35 AKDT 2003


I have recieved about 200 virus infect e-mails in the last 12 hours. Don't
open any attachments from friend or foe unless you are sure that the
attachment is safe. Just delete, period. This looks like a serious attack on
our system, so caution is the word of the day. I have included a note of
warning from Yahoo.

Tom Weedon, NSRCA D4 AVP
NSRCA Web Team
AMA 2537, NSRCA 733
IMAC 1810, WA8WAA

+++++++++++++++++++ Yahoo Note ++++++++++++++++++++++++
New Variant Of Sobig Worm Spreading Fast

The Sobig e-mail virus that made its debut in the beginning of the year
keeps coming back, with the latest variant spreading quickly, antivirus
experts said Tuesday.

The new version, code-named W32/Sobig.F-mm, first appeared Monday and soon
led to a "medium-risk" listing by antivirus company Network Associates
Technology Inc. "The infection rate is very steady and comparable with the
other variants," says Craig Schmugar, research engineer for the company.

Indeed, the number of virus-carrying e-mails intercepted by MessageLabs Inc.
increased from 10,000 at 8:30 a.m. EST Tuesday to more than 100,000 by 1
p.m. EST. "It's a lot, but there have been a number of other viruses with a
faster infection rate," a MessageLabs spokesman says. "In terms of Sobig
variants, it's up there with the last one."

MessageLabs, which monitors corporate e-mail traffic for spam, viruses, and
other nuisances, has intercepted 360,000 e-mails infected with the previous
variant, Sobig.E, since it appeared June 25. Typically, these viruses spread
quickly during the first 12 to 24 hours, then trail off as fast as they
started as companies and home PC users update their antivirus software.

Sobig.F is arriving in e-mail under a subject line that typically says
"re:details," "details," "your details," "thank you," or "resume." The
sender is disguised as someone that may be familiar to the recipient, such
as the name of a company or person.

Once the attachment containing the virus is opened, Sobig steals e-mail
addresses from several different locations on the computer, including the
Windows address book and Internet cache, then sends copies of itself out to
those addresses. The virus, which sends multiple e-mails concurrently,
selects addresses randomly for use as the sender, attempting to fool
recipients into thinking the e-mail is from a company or other legitimate
source.

"Hackers are always trying new techniques to get you to open the virus," the
MessageLabs spokesman says. "One of the ways is called spoofing, making you
think the e-mail is coming from a trusted vendor."

The attachments' names may include your_document.pif, details.pif,
your_details.pif, thank_you.pif, movie0045.pif, document.Fall.pif,
application.pif, and document.9446.pif.

Because of its mass-mailing capabilities, Sobig can eat up bandwidth and
slow a company's network performance. The virus, however, isn't considered
as malicious as others, since it doesn't delete files or damage the infected
PC.

Nevertheless, the bigger danger lies in its ability to open a port in a
computer, enabling a hacker to upload a Trojan. The small application can
let a hacker take control of a computer or search for passwords in the
system to break into people's online accounts.



=====================================
# To be removed from this list, send a message to 
# discussion-request at nsrca.org
# and put leave discussion on the first line of the body.
#



More information about the NSRCA-discussion mailing list