Slashdot Mirror
W32.Sobig.E@mm Worm Spreading Rapidly
mabu writes "Apparently there is another worm spreading online. Symantec has upgraded its severity to 'category 3.' This worm appears to primarily affect Microsoft systems, has an expiration date of July 14th, and searches users' machines for select files containing e-mail addresses that it uses to propagate itself."
just kidding.
"This worm appears to primarily affect Microsoft systems, has an expiration date of July 14th,"
Yuck. The only thing worse than worms are rotten worms.
expiration date of July 14th
Well isn't this the french national holiday. Maybe somebody is angry because they didn't join the war against weapons of mass.. er, what was that war about again?
All it takes is for one of those spammers with 15 million email addresses to get infected...
but can someone please write a good virus for once. :P. So, instead
I mean back in the day virii actually did stuff,
now they just email over and over. Remember when
your computer used to get "Stoned"
of bitching about virii, I just ask, if you're
gonna write one at least make it do something fun.
From: Cowboy Neal
To: Cowboy Neal
Subject: Re: Your Mail
Click the attached link - it's great...
Attached file:
www.yahoo.com
[application/octet-stream]
1. Virus writers
2. Spam merchants
3. ???
I know what 3 really is!
3. PROFIT!!!
Yahoo! variant! of! Microsoft! support! worm! spreading! rapidly!
.scr and .pif files. Like its predecessors, Sobig-E has a built-in expiry date - in this case 14 July. Click on the infectious attachments and you catch the pox.
.wab, .dbx, .htm, .html, .eml, .txt. This trick is the likely reason behind the worm's rapid rise to prominence.
By John Leyden
Posted: 26/06/2003 at 10:22 GMT
Stop us if you've heard this before, but there's another prolific email worm loose on the Internet today.
Sobig-E differs from its predecessors, the Sobig-B (aka 'support@microsoft.com') and Sobig-C (aka 'bill@microsoft.com') worms, by spreading itself in the form of a ZIP file. This time around infectious emails sent out by Sobig-E pretend to come from support@yahoo.com or another spoofed email address.
The worm is spreading rapidly, with many vendors upgrading the severity ratings they attach to the worm this morning. At the time of writing, managed services firm MessageLabs has blocked 22,156 copies of the worm over the last 24 hours.
Sobig-E normally spreads via emails with randomised subject lines (such as Re: Documents and Re: Re: Movie) and . zip attachments containing infectious
As usual, the worm affects only Windows PCs. Linux and Mac users are immune.
On infected PCs Sobig-E sends email to addresses collected from files with the following extensions:
Sobig-E appears to also have the ability to spread via
network shares and uses its own SMTP mail engine for sending email to further propagate.
So what to do?
Don't run suspicious email attachments and update your AV signature files. Don't allow Rob Malda to have write access to your box. He *will* put illegal gay porn on it, trust me.
It's as simple as that really.
A write-ups of the varmint by Symantec provides more detailed information. ®
Might be able to get it to run under wine (yes I am joking).
----
Q: Is this alert severe?
A: Yes, it is. Systems that connect to the internet using any Microsoft OS are vulnerable.
Q: When can I get a Service Pack for this?
A: When we include this bug..er, fix in the next Service Pack. We released SP4 yesterday. Six months more, atleast.
Q: Are there any mitigating factors?
A: Yes.. if you run Linux or GNU/Linux or NetBSD, you need not worry.
This bug will disappear by July 14th, and the replacement bug will be announced in Dec 22.
Contrary to Gartner reports, we know that millions of people use Linux on the desktop without much trouble. If you want a permanent solution, install Linux.
Q: How can I protect myself from further attacks?
A: Learn to use a Linux system. Contrary to what Aberdeen says, there are fewer bugs in Linux.
Q: What if I never connect my system to the Internet?
A: Then tell us your address, so we can send you the ServicePack and an invoice for $50.
Q: Are pirated copies of Windows more vulnerable?
A: We like you to think so, yes.
If you keep throwing chairs, one day you'll break windows....
> This worm appears to primarily affect Microsoft systems
<Nelson>
Ha - Haah!
</Nelson>
And now...
<Hanz&Franz>
Once again, ha haa! I lauugh at you silly foolz, with your flabby Windowz and your buuggy virus-baiiting Outlook email reader. I sit here with my puuumped-up Linux system, and my maanly Mutt text-only mail reader, and I open up my spam and virus emails and lauugh again because they cannot haarm me!
Ha Haaaah!
</Hanz&Franz>
"Orthodoxy is unconsciousness" - Orwell
I am running OS X on my Powerbook G4, and I have never had a worm. Am I missing something ?
Wasn't there just a Windows worm story last week?
Nope, there are also viruses affecting Macs. And worms affecting Apples. For example, yesterday at the cafeteria, I had an apple whose security had been breached by a worm.
just set your clock back to May and the virus won't have been released yet!
There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
This may indeed help. While the window's user's PC's are down for virus removal, they won't bog down the mail servers with their chain letters, flash animation attachments, screen saver attachments, and various hoaxes. Thanks for the idea; I'll try it out next time a luser attempts to send a 34 Megabyte Word document...
I'd much rather spend three hours buried in a manual to change a setting than double-click an icon and click a checkbox. Open sores linux hippies are so fuckin 1337
Sadly, I have seen this. A year or so ago, when the latest new email worm came out, we quickly fixed the mail filtering to stop it, but a few copies got through. So we sent out an urgent email to all our staff with a "Do not open the attachement on an email with the subject *blah* because it is a virus".
Half an hour later, we get an apologetic developer wanting us to rebuild his machine, because he ran the virus.
When asked if he saw the warning message, his response was "yes, but I wanted to see what it did". Well, at least he was honest.
As the parent poster said, a malicious person trying to do maximum damage would write for Windows. The Mac is the next best choice because, like Windows, you don't have big binary compatability problems.
Linux is tougher to write this kind of thing for because it would require that the user perform so many steps. First the user would have to extract the tar file from the gzip file. Then he would have to expand the tar archive onto his hard drive, which would put the source there. Then the user would cd to the location where the source extracted. Then he would probably have to set various environment variables. Then he would have to run gmake. Then he would need to interpret the error messages to determine why the build didn't work. Then he would have to find and add various development tools and libraries to his system, adding any environment variables that they needed. Then he could try building again. When he finally got the build to work, he could then run the resulting executable, which would tell him to to type "man {trojan/worm name}. The man page would show various command line switches for specifying the e-mail client being used and various network options. Then the user would construct the proper command line to run the program and WHAM! Just like that, his system is infected.
I may have left out a few steps or so, but you get the idea...
s/dumb/innocent/
From the number of the things that are being caught on our Exchange servers, it works extremely well :-)
Expiration date of this virus is 14th July. If you want to use this virus, it must be activated. Activation prevents virus piracy and ensures a virus-free virus.
/.er. If it was, it would have .rar instead of a .zip
Of course this virus was not produced by a
Where may I download the source code in order to port it to OpenBSD?
{{.sig}}
Am I not the only one tired of seeing Klez rule the worm/virus roost? It's good to see some new blood every once in a while. Face it, Klez was becoming like the Lakers and the Uankees...
Acquiescence leads to obliteration
But penguins eat fish. Fish eat worms. This worm eats Windows.
:P
Ehwe! Poor little worms
What worse than finding a worm in your apple?
Finding half a worm in you apple.
(And now the resounding sound of groaning shall commence)
sin(6cos(r)+5A)
No, of course you're not the only one. But then, there's also plenty of people who think that the government is covering up groups of anal-probing space aliens, or that Bigfoot exists and is touring Las Vegas with Elvis. Not being alone in your belief doesn't mean that your belief has a firm footing in reality. [*]
Seriously, which do you think is more likely to get Joe Sixpack (the guy who can't even invest a few mouseclicks to run Windows Update a couple of times a year) to run out and buy some anti-virus software:
- Virus B, which after 2 weeks of spamming everyone in your address book with photos from the goatse.cx site, will go on to randomize your hard drive, nuke your BIOS, unplug the fridge the night after you stock up on ice cream, and finally shave the family dog and spray-paint it hot pink.
If I were an evil marketing person for a virus company, I know which version I'd expect to bring the desperate masses stampeding into the A-V aisle at their local computer store.[*] I use these two examples because they're obviously inaccurate beliefs. Aliens take peoples' temperatures orally, not rectally...it's more hygenic, especially if you're the alien stuck cleaning up the probes afterwards. And everyone knows that Elvis is touring Des Moines for the next two months. Bigfoot is, of course, in Las Vegas, but he's opening for Siegfried and Roy.
A marriage is always made up of two people who are prepared to swear that only the other one snores.
Women. Women click attachments.