Slashdot Mirror
Microsoft Virus Spam: SoBig.F
If you're being barraged with Microsoft virus spam emails today, this story notes that it's a flare-up of an older Microsoft virus in a new, improved form. Yay for trustworthy computing.
← Back to Stories (view on slashdot.org)
If you set your score for MICROSOFT_EXECUTABLE high enough, and these emails with their .pif attachments get sent right to /dev/null
I want to delete my account but Slashdot doesn't allow it.
These things have been patched months, or years ago. Boo hoo for the people that don't patch their systems.
Just read about about it on the BBC
http://www.sarc.com/avcenter/venc/data/w32.sobig.f @mm.html
I should have mentioned this in my last post... if you've got the SoBig.F virus, FSecure has posted a free fix here.
x e
ftp://ftp.f-secure.com/anti-virus/tools/f-sobig.e
into the worm see the network associates
also: I remember a worm (maybe a year and a half ago) which ran directly through outlook (by simply activating an email-without opening the file). Does anyone remember this? if so, please refresh my memory. Thanks.
"this is the gloaming"
radiohead
According to several of the norwegian newssites Norways outbreak accords for 33% of the registered incidents and Usa follows on with 30% and so on. It's annoying as he**, I have got about 65 virus mail's the last three hours and counting
I'm interested to see if is updated to include info on -f. the -e article was a good eye-opener.
In Soviet Russia...michael would be rotting in Siberia!
Starting with Office XP you'll see that Outlook automatically blocks attachments ending in PIF, BAT, EXE, etc. This is an absolute that can only be modified through admin policies out in an Exchange folder.
If you are looking for this type of deal I *think* Outlook 2000 has a service pack that installs the attachment blocking.
Hope this helps!
I got 436 hits this morning in 2 hrs for my compan's email (~500 employees). I already had *.pif files blocked (I'll give any of my users a free beer if they could even tell me what a *.pif files was used for, more or less why they should be receiving it). In 2hrs a dial-up ISP in california, the University of New Hampshire, the Indiana University of Pennsylvania, Piglet.DisneyOnline.com, a verizon DSL node, and an adelphia cable modem node had all been shut down and cleaned. Soon as I recognized what was coming in, I traced the source IPs, called the contacts, and talked to their IT people. With the exception of Disney, all were quite co-operative, had their machines down with-in minutes of notification, and back up after cleaning the virus.
... 'tart'
The nature of these Sobig virii/viruses are that they repeatedly hit the same addresses. Take a few seconds, look at the header, get the IP, look up the DNS, get the contact name, call and explain and you'll save yourself (and countless others) a lot of unnecessary hell.
-Ab
ps. that also explains why some of my posts this morning were a little bit
Nothing fails quite like prayer.
I just got a bounce message (with the e-mail below attached) from an automated domain mail admin because it believed I was the sender of a so.big payload (to a user who has a full e-mailbox).
a u@HP> /. post]; Wed, 20 Aug 2003 04:09:52 +1000 /.-- it was my valid email address]
n g: base64
I don't use windows, so it's not coming from any of my boxes.
Here's the header and body text:
-----
Received: from HP ([141.154.241.155]) by mta02.mail.mel.aone.net.au
with ESMTP
id [20030819180952.SWCW5855.mta02.mail.mel.aone.net.
for [removed for
From: [removed for
To: [likewise removed]
Subject: Re: That movie
Date: Tue, 19 Aug 2003 14:10:02 --0400
X-MailScanner: Found to be clean
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="_NextPart_000_00FA8C46"
Message-Id:
This is a multipart message in MIME format
--_NextPart_000_00FA8C46
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Please see the attached file for details.
--_NextPart_000_00FA8C46
Content-Type: application/octet-stream;
name="your_document.pif"
Content-Transfer-Encodi
Content-Disposition: attachment;
filename="your_document.pif"
-----
The your_document.pif was a binary of about 100k.
The best way to do is to be.
Here is HouseCall - Their online free virus scanner.
Anyone without an antivirus program seriously needs to get one:
McAfee
Symantec (Norton)
Trend Micro
Just to name a few...
A worm is a program that propagates itself over a network, reproducing itself as it goes. While this worm may require user intervention, there exist plenty of worms that do not (the most infamous being the Morris Worm.) A malicious program that masquerades as a legitimate application is a Trojan horse.
SoBig.F appears to be a Trojan with some worm-like qualities. Of course, in the world of Microsoft mail exploits, the lines are blurred, but a worm is generally not a user-launched process.
Pedantic, I know, but worms are a special interest of mine, and they generally take a fair bit more skill to create than your average Trojan horse.
Obliteracy: Words with explosions
I've gotten more than a halfdozen today. I'm in Sweden, although only one of my addresses is a .se. Considering I have 5 addresses I use regularly, and one guy is claiming 5000 copies of it this morning, I guess I got off lucky. For the moment.
My mac is obviously immune to the thing, and so is my windows box, seeing that it has IE and Outlook completely removed (yes, every last stupid .dll killed and a couple programs patched to work without it) so it wouldn't get any traction there, even if I used it for email, which I dont.
But the worrying thing is I'm already getting attachment removal notices from mailservers that delete these things, so at least one copy of this bloody thing is forging my address when it tries to reproduce. Bloody hell.
=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Friends don't let friends enable ecmascript.
I do have the book with me. So here's the quote from page 428 of the latest paperback edition.
IF THIS WERE A VIRUS
YOU WOULD BE DEAD NOW
FORTUNATELY IT'S NOT
THE METAVERSE IS A DANGEROUS PLACE;
HOW'S YOUR SECURITY?
CALL HIRO PROTAGONIST SECURITY ASSOCIATES
FOR A FREE INITIAL CONSULTATION
crud. lameness filter. adding some more lowercase random crap here so that it will pass the lameness filter. stupid lameness filter.
Yay for trustworthy computing.
MS jokes aren't innovative, but can still be fun, but not as fun if they aren't trying to relate to the truth very much. Read up about trustworthy computing and learn how it is a process that has barely taken off today, but is an effort that will show up more in Longhorn, etc. DRM and NGSCB are two technologies that have a lot to do with trustworthy computing that aren't even implemented in today's versions of Windows.
At 2002, MS said:
"It may take us ten to 15 years to get there, both as an industry and as a society."
Trustworthy computing is in many ways only at the concept stage this far.
Sure, one might wonder what's making them think it will take a time period as long as an outrageous 15 years to get these things straight and one might think DRM is Bill Gates' worst idea ever, but then one should comment about this instead. This may seem that I'm defending Microsoft, although I'm in this case just being annoyed by a joke I've seen numerous times before, and that must have been made up by some uninformed person.
Beware: In C++, your friends can see your privates!
Here is a decent procmail rule, probably not perfect.
:0 B hfi| movie)[0-9]*\.zip"?l l|thank|screensaver|movie)[0-9]*\.zip"?c /data/w32.sobig.e@mm.html"
:0
* > 100000
* < 120000
* ^Content-Type:.*multipart/mixed;
{
* ^Please see the attached zip file for details.
* ^Content-Disposition: attachment;
* ^Content-Transfer-Encoding: base64
* 9876543210^1 ^Content-(Type|Disposition):.*$.*name *= *"?(your_details|application|document|screensaver
* 9876543210^1 ^Content-(Type|Disposition):.*name *= *"?(your_details|application|document|document_Fa
| formail -A "X-Content-Security: [$HOST] NOTIFY"
-A "X-Content-Security: [$HOST] QUARANTINE"
-A "X-Content-Security: [$HOST] REPORT: Trapped SoBig worm - http://securityresponse.symantec.com/avcenter/ven
}
Programming can be fun again. Film at 11.
Instead of deleting them by hand, you can train the filter with several of them and then from menu bar -> Tools -> Run Junk Mail Controls on Folder.
Alternatively you can set up a message filter (from the Tools menu too) and then run it on your inbox.
Good luck.
Perhaps I should have specified AUTOMATED responses.
Since most of the envelope addresses are spoofed (sobig certainly does this), having a mail server with a virus scanner automatically shoot off a message to the envelope address does no good. The admin of the server that sent the virus won't see the message, the spoofed address gets messages for stuff they can't do anything about.
I know I'm not going to sit and send 100 virus notifications for the mail I've gotten in the last 30 minutes!! Half the idiots don't even have a postmaster alias, the exercise is close to pointless.
Anything is possible given time and money.
http://clamav.elektrapro.com/
Work for me, has for several months now...
Because the default in my email client (and hopefully yours) is not to fetch anything referred to in an html document, like images, popup javascript etc - bacause that's the oldest trick in the book to verify email addresses without the users intervention. Links, however are still displayed in case they are useful and without malice.
So you still have the course of social engineerng to get the user to click the link at least.
> This same thing could happen on Linux, there is nothing stopping a Linux user from running a file attachment. This isn't a MS problem, it is a user education problem.
The difference being that Linux applications don't go out of their way to make it easy for idiots to do what idiots do best.
The general public is never going to be computer savvy, any more than 100 years of experience and probably a few million lost lives has made them automobile savvy. Designing general-use software that requires a high level of user sophistication in order to be rudimentarily secure is as much a design error as designing software that requires three arms to use would be, because the human capability isn't there and never will be.
The fact that it "could" happen on other OSes but isn't, is the best argument that it is MS's fault.
Sheesh, evil *and* a jerk. -- Jade