SoBig

**kenn jolemore** · August 20th, 2003, 07:11 AM

I have recieved numereous e-mails recently(started yesterday) saying I have this worm(sobig) but when I run the removal tool it says my computer does not have the problem.I checked all three of the computers and none of them are infercted but I am still getting these mailerdeamon rejections saying a letter I sent is infected.The e-mails are not to people I have in my mail box(nor did I send them) so I don't really know where to go from here.Any advice or suggestions are appreciated.Thanks
KennJ

**Train** · August 20th, 2003, 07:42 AM

http://www3.ca.com/virusinfo/virus.aspx?ID=36376 Win32.Sobig.F information.

Sounds like someone has more time than they need on their hands.

**DuaneB** · August 20th, 2003, 08:33 AM

If you're still using Norton, here's Symantec's page on W32.Sobig.F.

http://securityresponse.symantec.com...oval.tool.html

**kenn jolemore** · August 20th, 2003, 08:51 AM

I have allready run the symantec sobig removal tool on all computers and non have been detected to contain the virus. Non the less I am recieveing e-mails saying I am sending infected files. I have also done searches for the associated files to no avail. I would be supprised if anyone downloaded an unknown file as it is not something we do due to experience with these type problems(and a general lack of interest in supprise files)

KennJ

**BigFred** · August 20th, 2003, 09:15 AM

Kenn

Don't worry, if you've run an up-to-date AV and your machine shows as clean then it most likely is.

One of the things this SoBig virus does is spoof e-mail addresses. That is it e-mails it's self to people's address in the infected machines address book and used another address from that address book as the fake send address.

So it's not you that's infected, but someone else who happens to have your address in their address book. BF

**kenn jolemore** · August 20th, 2003, 10:00 AM

Thanks BigFred, that would explain why the addresses are not ones I recognise. I guess the best thing I can do is send out an e-mail to the folks in my address book with the semantec link and an explanation of what is happening to me so they can check there computers and put an end to the worm.
KennJ

**VB9999** · August 20th, 2003, 10:56 PM

One way to see if you have the virus is to ctrl-alt-del and go to the Processes tab and look for Winppr32.exe in the list. If found then you can click it, and then click End Process. This will only stop it from running.

Check Symantec web site to see how to delete it......

Later
VB9999

**Vernon Frazee** · August 23rd, 2003, 11:19 AM

Symantec's standalone, easy-to-use "W32.Sobig.F@mm Removal Tool" can be downloaded from this page: http://www.symantec.com/avcenter/ven...oval.tool.html (172K)

**Vernon Frazee** · August 24th, 2003, 07:56 AM

Condensed version of the "New Phase of Sobig.F Set for Fridays" article
By Erin Joyce and Sharon Gaudin
August 22, 2003

The Sobig.f worm ... is poised to unleash a new phase of its havoc between 3:00 PM and 6:00 PM Eastern Standard Time on Friday. ... [it] is planning a new phase of attack to hit on Fridays and Sundays until it ... expire[s] on Sept. 10th.

... infected computers are programmed to start to connect to machines found on an encrypted list hidden in the virus body. ... the list contains the address of 20 computers located in United States, Canada and South Korea ...

Once the worm infected a machine, it was then programmed to go to one of those 20 Web sites to pull down code to drop it into the infected machine, ... those 20 machines are believed to be [currently] offline. [They] seem to be typical home PCs, connected to the Internet with always-on DSL connections," ... "Most likely the party behind Sobig.f has broken into these computers and they are now being misused to be part of this attack."

... [Sobig.F] connects to one of these 20 servers and authenticates itself with a secret 8-byte code. The servers respond with a Web address ... Infected machines download a program from this address -- and run it. At this moment experts say they are not sure what the program will do.

F-Secure said it has been able to break into this system and crack the encryption, but currently the Web address sent by the servers doesn't go anywhere. "The developers of the virus know that we could download the program beforehand, analyze it and come up with countermeasures," ... "So apparently their plan is to change the Web address to point to the correct address or addresses just seconds before the deadline. By the time we get a copy of the file, the infected computers have already downloaded and run it."

The Sobig worms come with a three-stage attack, ... The e-mail worm is the first stage, installing a backdoor Trojan is the second stage and then installing a proxy server is the last stage. "The backdoor [Trojan] is designed to let the attacker steal information," ... "He could steal password data or the worm could activate a key logger whenever you're doing online banking."

... if the 20 IPs used in the attack are available and manipulated by the attacker, the attacker can install malicious code of choice on SoBig infected computers connecting to the downloader IP. The code may be anything but has traditionally been a backdoor Trojan (Lala/Hooker) and then a copy of Wingate (proxy server).

"Blocking outbound UDP 8998 activity will successfully block SoBig communications with remote servers hard coded into the code of the worm used for updating itself/installing new code. Additionally, blocking against the NTP server ports may prevent the worm from meeting certain date and time conditions for the secondary and tertiary attacks. [Also] Block port 123 and UDP ports 995-999," ... and ... block against the Wingate proxy server if found on a computer so that spam cannot be sent through a formerly infected or currently infected computer.

Complete article here: New Phase of Sobig.F Set for Fridays

Thread: SoBig

Thread Tools

Search Thread

Display

SoBig

Thread Information

Users Browsing this Thread

Posting Permissions