My main email address through comcast has been thankfully free of spam so far. A big reason for this is that I don't post this email anywhere - only friends & family have this email.

For some reason, today I've been hit with spam - not as bad as many people have it, but still 7 or 8 spams in one day is a lot when going from nothing! :mad: Any reason why this is so? I haven't recently downloaded anything, and I certainly haven't posted my email recently.

The only common thing I noticed is that just about ALL of the spam today had attached files! :eek: And the subjects weren't the typical ones to increase/decrease parts of the body, money, etc.

Hi Nick

Seems suspicious doesn't it?

Could be that one or more of your associates who have your e-mail address in their address book has been infected by a virus. The virus could be mailing itself to everyone.

Might be an idea to ensure that your antivirus program is up-to-date, and then do a scan of your system. BF

New 'Sobig' virus clogs e-mail inboxes (http://story.news.yahoo.com/news?tmpl=story&u=/ap/20030819/ap_on_hi_te/e_mail_virus_1)

Big Fred: Yes, my anti-virus is up to date. Plus I get my emails forwarded to my cell phone so I have advanced notice of emails. When I realized all these emails were spam, I went directly to the website and made sure none were in my Inbox. So I never even downloaded any of them. Comcast's email filter pretty much caught all of them.

The strange thing is that none of these were from people I knew. So if the virus is indeed sending itself from infected people's address books, could it be masking the return address somehow?

Rapmaster: This sounds EXACTLY like what it is. All of them say "please see attached file." And the attached file is a .pif file. Yeah right, I'm going to open an attachment! NOT

Wow, only 8? I've got over 75 of those since 3:00 today. Our firewall stripped the .pif, luckily.

Originally posted by 10ECsoon
Wow, only 8? I've got over 75 of those since 3:00 today. Our firewall stripped the .pif, luckily.

Okay, I've gotten a few more since my last post, but nowhere near 75! :eek:

Hi all,

I got about 12 or 15 of these at work yesterday, as did many of my colleagues -- hundreds of people for a total of thousands of e-mails! Luckily, by the time I got in the systems chief had e-mailed everyone that it was some rogue worm or whatever (they didn't know what yet) that was e-mailing stuff with attachments and spreading itself through the infected mailboxes. I was getting random messages from colleagues in other departments who didn't routinely send me messages. I even got an automatic out-of-office reply from one guy! It was humorous.

The firewall stripped all the attachments before they got to anyone.

They don't seem to know what it was yet. Further investigation I assume.

Systems later sent around a patch to apply to Exchange that would send all these to a junk folder or to be deleted automatically.

Cheers
Wendy

P.S. I haven't had any at home, thank God. My anti-virus software is up to date.

Hi

A stack of people on my mail server got the stripped version of this today. Mail scanner obviously doing it's job. :cool:

Lots of .pif attachments removed. :mad:

But I got none. :D Obviously I only e-mail people with good AVs :D BF

I've gotten 30 so far on my comcast account. Oh joy..

Steve, is Comcast not filtering out these emails? Like I said in my original post, Comcast is pretty much moving all of them into a spam folder. I only notice because I get my emails forwared to my cell phone. Otherwise when I checked yesterday OE only downloaded legit emails.

What I don't understand is how my email go in this in the first place. None of these have been from people I know. Was it just random?

I myself have received over 70 of these "Sobig" viruses at home. My anti-spam program (MailWasher Pro) erases them from the IPS's server before I download them to my computer. I also get some responses from admins of all kinds of domains that the mail I sent did not get to its destination. Needless to say, that I never wrote those emails. Its all bogus and completely random. The virus uses people's address book to send it to others, and thats probably how you got it. You may not recognize the people who sent it to you because the virus probably switches the names in the "from" field much like the klez virus.

Symantec's standalone, easy-to-use "W32.Sobig.F@mm Removal Tool" can be downloaded from this page: http://www.symantec.com/avcenter/venc/data/w32.sobig.f@mm.removal.tool.html (172K)

Condensed version of the "New Phase of Sobig.F Set for Fridays (http://www.internetnews.com/infra/print.php/3067671)" article
By Erin Joyce and Sharon Gaudin
August 22, 2003The Sobig.f worm ... is poised to unleash a new phase of its havoc between 3:00 PM and 6:00 PM Eastern Standard Time on Friday. ... [it] is planning a new phase of attack to hit on Fridays and Sundays until it ... expire[s] on Sept. 10th.

... infected computers are programmed to start to connect to machines found on an encrypted list hidden in the virus body. ... the list contains the address of 20 computers located in United States, Canada and South Korea ...

Once the worm infected a machine, it was then programmed to go to one of those 20 Web sites to pull down code to drop it into the infected machine, ... those 20 machines are believed to be [currently] offline. [They] seem to be typical home PCs, connected to the Internet with always-on DSL connections," ... "Most likely the party behind Sobig.f has broken into these computers and they are now being misused to be part of this attack."

... [Sobig.F] connects to one of these 20 servers and authenticates itself with a secret 8-byte code. The servers respond with a Web address ... Infected machines download a program from this address -- and run it. At this moment experts say they are not sure what the program will do.

F-Secure said it has been able to break into this system and crack the encryption, but currently the Web address sent by the servers doesn't go anywhere. "The developers of the virus know that we could download the program beforehand, analyze it and come up with countermeasures," ... "So apparently their plan is to change the Web address to point to the correct address or addresses just seconds before the deadline. By the time we get a copy of the file, the infected computers have already downloaded and run it."

The Sobig worms come with a three-stage attack, ... The e-mail worm is the first stage, installing a backdoor Trojan is the second stage and then installing a proxy server is the last stage. "The backdoor [Trojan] is designed to let the attacker steal information," ... "He could steal password data or the worm could activate a key logger whenever you're doing online banking."

... if the 20 IPs used in the attack are available and manipulated by the attacker, the attacker can install malicious code of choice on SoBig infected computers connecting to the downloader IP. The code may be anything but has traditionally been a backdoor Trojan (Lala/Hooker) and then a copy of Wingate (proxy server).

"Blocking outbound UDP 8998 activity will successfully block SoBig communications with remote servers hard coded into the code of the worm used for updating itself/installing new code. Additionally, blocking against the NTP server ports may prevent the worm from meeting certain date and time conditions for the secondary and tertiary attacks. [Also] Block port 123 and UDP ports 995-999," ... and ... block against the Wingate proxy server if found on a computer so that spam cannot be sent through a formerly infected or currently infected computer.Complete article here: New Phase of Sobig.F Set for Fridays (http://www.internetnews.com/infra/print.php/3067671)