Slashdot Mirror

← Back to Stories (view on slashdot.org)

W32.Sobig.E@mm Worm Spreading Rapidly

Posted by CowboyNeal on from the guelah-papyrus dept.

mabu writes "Apparently there is another worm spreading online. Symantec has upgraded its severity to 'category 3.' This worm appears to primarily affect Microsoft systems, has an expiration date of July 14th, and searches users' machines for select files containing e-mail addresses that it uses to propagate itself."

3 of 547 comments (clear)

  1. Using Internet Traffic Data to Predict Worms? by GillBates0 · · Score: 5, Informative
    Companies like ISS use "probes" at many locations around the world to detect unusual patterns on key Internet backbones. A persisting unusual pattern is a supposed to be a pretty reliable indicator of malicious activity.

    I have been trying to do my own retrospective predection :) based on the data available at Internet Traffic Report

    As far as I can make out, all the US routers are doing fine (green). The response time seems to have gone up a tad at 2am MST, but other than that I don't see anything unusual.

    When I look at Asia, 5 out of the 21 routers are down (red) and the packet loss is up 2%. Does that mean, that the worm has hit Asia hard? I know this worm should clog up mainly mail servers, but I wonder how feasible it is to predict worm arrival/origin/etc based on this easily available information, assuming ofcourse that it's available realtime.

    --
    An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
  2. Postfix MTA Check For Sobig.E by Anonymous Coward · · Score: 5, Informative
    The following PCRE expression in a Postfix MTA header_checks (or, if you're using them, mime_header_checks) file will reject this one:

    /^Content-(Disposition|Type):\s+.*?(file)?name="?. *?(your_details|application|document|screensaver|m ovie)\.zip/ REJECT

    Requires Postfix be built with PCRE support and is for Postfix 2.x versions. For Postfix 1.x versions you'll have to put that in body_checks.

    Disclaimer: Use at your own risk. I *believe* this'll work, but, strangely enough, I haven't received any to be rejected yet!

  3. Re:A (very) nice virus again by httptech · · Score: 4, Informative

    There is a payload, but it is not immediately obvious. Like every sobig variant, its job is to download a second stage trojan. Check out the whole story of what sobig.a (and likely all the rest) are supposed to do after infecting you: http://www.lurhq.com/sobig.html