Slashdot Mirror
W32.Sobig.E@mm Worm Spreading Rapidly
mabu writes "Apparently there is another worm spreading online. Symantec has upgraded its severity to 'category 3.' This worm appears to primarily affect Microsoft systems, has an expiration date of July 14th, and searches users' machines for select files containing e-mail addresses that it uses to propagate itself."
My filter declines .zip files that contain executable files, but it passes .zip files that contain only documents.
Are you trying to say that not all filters would be capable of doing that?
I have been trying to do my own retrospective predection :) based on the data available at Internet Traffic Report
As far as I can make out, all the US routers are doing fine (green). The response time seems to have gone up a tad at 2am MST, but other than that I don't see anything unusual.
When I look at Asia, 5 out of the 21 routers are down (red) and the packet loss is up 2%. Does that mean, that the worm has hit Asia hard? I know this worm should clog up mainly mail servers, but I wonder how feasible it is to predict worm arrival/origin/etc based on this easily available information, assuming ofcourse that it's available realtime.
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
Requires Postfix be built with PCRE support and is for Postfix 2.x versions. For Postfix 1.x versions you'll have to put that in body_checks.
Disclaimer: Use at your own risk. I *believe* this'll work, but, strangely enough, I haven't received any to be rejected yet!
During all these events, a large Response time and Increased Packet loss is observed, as expected.
Observe that the Average Response time hit a peak simultaneously across all continents between 11:30am and 2:30am MST as noted earlier, which coincides with reports of the W32.Sobig.E@mm worm. It has since deteriorated, possibly indicating, either that the Worm has some throttling mechanism, which some worms use to prevent congestion from affecting their own propogation rate.
Either that, or we haven't seen the peak yet.
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
There is a payload, but it is not immediately obvious. Like every sobig variant, its job is to download a second stage trojan. Check out the whole story of what sobig.a (and likely all the rest) are supposed to do after infecting you: http://www.lurhq.com/sobig.html
I've posted all the relevent information about this virus since 4pm on Tuesday, which beat out most of the major news outlets, except cnet. I've keep the info upto date with the list of virus vendors and latest virus news in the online media, and manual removal and automatic removal tools.
;)
I would like to thank messagelabs, as they are always the first to notify about major virus outbreaks. Sophos is a close second and is good about notifying about everyday viruses. Mcafee's alerts are good, but usually alittle late, they only notify once it hits the news media. Symantec wants you to pay an outragous price for their virus alerts, and I doubt they give you only earlier warning than messagelabs or sophos which provide the service for FREE. Symantec is becoming the Microsoft of Virus vendors, they're trying to spread out everywhere now in the security field, buying up companies left and right. Their quality of product is going down because they don't use a google.com like motto "do one thing and do it well" which they use todo. But their automated virus removal tools are still pretty good. IMHO
If you would like to sign up to messagelabs's great early warning notification service go here.
If you want Sophos excellent everyday notification about all virus's go here.
If you would like to get McAfee's avertlabs notifications, go here.
or you can just checkout my virus posts on the security-forum.com, but I only post the major outbreaks because there are TOO MANY viruses out there to post every single one.
Founder of Securityflaw Creator of