Slashdot Mirror
W32.Sobig.E@mm Worm Spreading Rapidly
mabu writes "Apparently there is another worm spreading online. Symantec has upgraded its severity to 'category 3.' This worm appears to primarily affect Microsoft systems, has an expiration date of July 14th, and searches users' machines for select files containing e-mail addresses that it uses to propagate itself."
I have an "early slashdot worm story alert system" built in to my DSL connection. I found out about this around midnight last night, when my DSL connection proceeded to crawl to a slow, and even google was returning results with considerable lag.
Anyone else so lucky to have a system such as mine? This works well on the UTA campus network, also. At least, a worm story has been reported w/in 24 hours of every noticable long slowdown of the net for me...
moox. for a new generation.
I think virus writers' priorities have changed since. With everyone on the net now, the bragging points have to do with how quickly and how many machines you can infect. Its quantity over quality. Payload? What payload?
Ah yes, the halcyon days of the wazoo virus or when getting a virus meant your disk partitions were officially destroyed.
Ok, this is a serious question, not an attempt to start a flame war or anything, but why does this always happen to MS systems? I use a Mac and have only had to work with Windows at my college and a few other times here and there. I've NEVER seen a live Mac trojan or worm and have only ever encountered one virus (the 666 one) that wasn't really malicious and only added some extra resources labeled "(Box thingy)666" in an application's resource fork that caused an application to run a little slower. And that was 4 or 5 years ago in OS 7.5 or 8.
Now, I understand the "security through obscurity" theory that basically says Mac's have far fewer virii problems than PCs because not nearly as many people use Macs, but that's sort of a dead idea nowadays. While we don't have nearly the numbers of any MS OS, by Apple's numbers, there are 7 million users of OS X, which makes the current number of users in the OS X community about as large as the populations of Hong Kong (7,303,334) or Switzerland (7,301,994), and about 1 million more people than the pop. of Israel (6,029,529). (Go on, check my numbers.) And just for good measure, add to that the fact we now have a more or less Unix based OS and therefore must have some common ground with numerous other OSes. It's not like we're a tiny little niche to go after, or one that no one knows how to program for. Hell, Apple even gives away developer tools to write out and compile programs. So why don't we ever see any worm, trojan, or virus outbreaks for OS X?
Request: ECM unit, 1000 km fullerene cable, 1 tactical nuclear weapon. Reason: Birthday party for foreign dignitary.
Is this a subtle way of trying to say "Yes it's another fucking windows virus" without sounding like we're anti windows?
The register is less subtle (almost advertising other platforms);
As usual, the worm affects only Windows PCs. Linux and Mac users are immune.
However, I run Eudora, not Outhouse Express, and ZoneAlarm renames file attachments so they can't be opened by accident. (as in click and you got a prompt asking if you really want to do this?)
There really isn't an excuse to get nailed by this even for Windoze users for the most part, "executable file attachment from somebody I don't know" =! CLICK HERE. These virus-generated e-mails all have a generic look to them, I dump them unopened into my virus-contaminated folder for later cleanup .
I got rid of 16 copies of Sobig.E today.
Tech Public Policy stuff
To quote the parent:
Because most of the virus writers today don't know the difference between an IBM 3090 and an Atari 2600? If you think I'm kidding, look at some of the stuff from the 80's, which would see if you were infected by virus "x", and DISINFECT YOUR COMPUTER FOR YOU IF YOU WERE, before infecting you with virus "y".
It also provides an interesting "but I didn't do any harm" attemp at defense if they are actually caught and Mommy and Daddy have to cough up money for a lawyer.
Karma: Food Fight (Mostly affected by Date Plate).
Sobig.E first hit Wednesday, a couple of copies got in before I warned the huddled masses to not open any .ZIP attachments until CA got their act together which they did a couple of hours later. A full scan of the Exchange store cleaned everything off and anything new is getting cleaned on the way in.
NOW, late this afternoon I get a couple of emails from the lawyers say they are appearing again, just as one pops up in my Inbox.
CA did update their signature again late in the day which opens up two possibilities:
1) The latest signature broke the ability of CA's software to catch Sobig.E or
2) This is a new variant (Sobig.F?)
If you don't want to repeat the past, stop living in it.
"In France, the 14th of July is a National Holiday. It is known as Bastille Day and celebrates the storming of the Bastille , a French prison, in 1789. This was the start of the French Revolution."
Wonder if this has any relevance? Maybe it's a signal, a secret message.. :)
Get your own free personal location tracker
My viruses were from support@dell.com. I've banned outlook, but looking through the headers, it is obvious that SOMEONE was using it.
I'm about to ban attachments alltogether and instead write a web-based document distribution system. At the very least it makes tracking the provenance of documents easier. Besides users have this habit of NEVER throwing away email, and the attachments eat up a lot of room on the server.
We run IMAP. (That's another discussion)
"Learning is not compulsory... neither is survival."
--Dr.W.Edwards Deming
It managed to pick up the name of the CIS Undergrad mailer address, so suddenly all of us were getting the Sobig virus over and over again, as well as getting it from all the infected people. Yeah, it was great. Now, why just anyone could mass mail something by sending an Email to the undergrad mailing address is somewhat of a question..
I did see some people saying "When's the next service pack coming out to fix this"; this virus isn't clever enough to use exploits, it's just another lamer Email Windows worm that generates network traffic.
1p}{ 1 sp34k |33+ +|-|e|\| p30p13 \/\/il| 8e i/\/\pr3553|)
1) Had an e-mail from a ".mil" domain (forget the actual address)
2) Having recently mailed some questions to some government research agencies, I assumed this was a response to one of them, so, I opened the e-mail (I use Mozilla).
3) No message in the e-mail, just an attachment called "your_application.zip". This was a tad suspicious so I copied the file and scanned it with a corporate edition of Norton Anti-Virus last updated on June 18th.
4) Virus scan came up clean so I opened the file. After seeing that it was only a ".pif" file, I started to get concerned, tried to edit the file by right-clicking and the edit option didn't show. At this point, I'm pretty sure it's a virus.
5) Examined the header information from the e-mail and discoverd that it actually originated from another office computer and the "from" address was spoofed. Now, I'm all but certain it's a virus.
6) Went to the Symantec website and, sure enough, the virus information is there along with notification that the patch was only available since June 25th.
7) Downloaded their fix tool and checked all computers in our office for evidence of infection. Was able to clean them all.
So, even though I was relatively careful, I was still able to get infected. Primarily because:
a) The "From" address was an expected source.
b) I do occasionally get legitimate e-mails that are only an attachment with no text.
c) This particular virus was so new that my virus scanner was not sufficiently up to date.
FYI, I guess...
A goal is a dream with a deadline
Why be subtle about it?
I went to a seminar yesterday wherein a security guy from Microsoft (stop laughing, its not funny yet) extolled the virtures of Windows Server 2003. They have learned their lesson about security and ease-of-use being the only development consideration... guess where they learned it from? All the best practices they have implemented for Server 2003 comes from Linux, Unix, and the Open Source world. "Free How-Tos"! What an innovation!
Now if only someone can teach the MS admins and users to apply the goddamn patches that Microsoft releases! (for an example of what I'm talking about, see anything about the SQL Slammer specifically)
perl -e 'print $i=pack(c5, (41*2), sqrt(7056), (unpack(c,H)-2), oct(115), 10)'