Microsoft Virus Spam: SoBig.F

If you're being barraged with Microsoft virus spam emails today, this story notes that it's a flare-up of an older Microsoft virus in a new, improved form. Yay for trustworthy computing.

Thank you Spamassassin

[Gothmolly]

If you set your score for MICROSOFT_EXECUTABLE high enough, and these emails with their .pif attachments get sent right to /dev/null

Re:Thank you Spamassassin

[Uggy]

Don't need spamassassin for this. If you are using qmail-scanner just set your quarantine-attachments.txt in /var/spool/qmailscan/ like so:

.exe 0 EXE attachements not allowed
.vbs 0 VBS attachements not allowed
.lnk 0 LNK attachements not allowed
.pif 0 PIF attachements not allowed
.com 0 PIF attachements not allowed
.scr 0 SCR attachements not allowed
.bat 0 BAT attachements not allowed

Make sure whitespace between the columns is a tab and not spaces. Then rerun your qmailscanner db update and you're good to go.

Spamassassin is WAY to intelligent to be feeding it filename extensions. This is a lot faster too.

Are there any other extensions that would be good to block?

Re:Thank you Spamassassin

[Electrum]

If you set your score for MICROSOFT_EXECUTABLE high enough, and these emails with their .pif

Even easier: reject it at the SMTP level

Re:Thank you Spamassassin

We filter these at the mail server:

*.com, *.exe, *.bat, *.vbs, *.vbe, *.js, *.jse, *.hta, *.wsf, *.wsh, *.shs, *.scr, *.pif, *.lnk, *.chm

All are potential vectors.

http://antivirus.about.com has a bigger list of suspicious attachment types. Some are document types, but others are just special executable types in Windows, such as .chm files, which are compiled help files.

It isn't these *have been* exploited by virus writers (though many have), but rather that they *could be*, because of their nature. I would never filter all of them, but I've gotta admit after scanning the list, most of these would be surprising to me to find in an email.

ADE Microsoft Access Project Extension
ADP Microsoft Access Project
BAS Visual Basic Class Module
BAT Batch File
CHM Compiled HTML Help File
CMD Windows NT Command Script
COM MS-DOS Application
CPL Control Panel Extension
CRT Security Certificate
DLL Dynamic Link Library
DO* Word Documents and Templates
EXE Application
HLP Windows Help File
HTA HTML Applications
INF Setup Information File
INS Internet Communication Settings
ISP Internet Communication Settings
JS JScript File
JSE JScript Encoded Script File
LNK Shortcut
MDB Microsoft Access Application
MDE Microsoft Access MDE Database
MSC Microsoft Common Console Document
MSI Windows Installer Package
MSP Windows Installer Patch
MST Visual Test Source File
OCX ActiveX Objects
PCD Photo CD Image
PIF Shortcut to MS-DOS Program
POT PowerPoint Templates
PPT PowerPoint Files
REG Registration Entries
SCR Screen Saver
SCT Windows Script Component
SHB Document Shortcut File
SHS Shell Scrap Object
SYS System Config/Driver
URL Internet Shortcut (Uniform Resource Locator)
VB VBScript File
VBE VBScript Encoded Script File
VBS VBScript Script File
WSC Windows Script Component
WSF Windows Script File
WSH Windows Scripting Host Settings File
XL* Excel Files and Templates

heh

[abhisarda]

Just read about about it on the BBC

Norton Write-up on Latest Sobig Variant

[echucker]

http://www.sarc.com/avcenter/venc/data/w32.sobig.f @mm.html

This software will help if you got the virus

[joeykiller]

I should have mentioned this in my last post... if you've got the SoBig.F virus, FSecure has posted a free fix here.

ftp://ftp.f-secure.com/anti-virus/tools/f-sobig.ex e

hmm

[cetan]

I'm interested to see if is updated to include info on -f. the -e article was a good eye-opener.

Re:Block Attachments on Exchange?

[gregarican]

There are command line utils in Exchange 5.5 that can help delete these attachments totally. Look on the installation CD for details.

Starting with Office XP you'll see that Outlook automatically blocks attachments ending in PIF, BAT, EXE, etc. This is an absolute that can only be modified through admin policies out in an Exchange folder.

If you are looking for this type of deal I *think* Outlook 2000 has a service pack that installs the attachment blocking.

Hope this helps!

1 every 10 seconds?

[Abm0raz]

I got 436 hits this morning in 2 hrs for my compan's email (~500 employees). I already had *.pif files blocked (I'll give any of my users a free beer if they could even tell me what a *.pif files was used for, more or less why they should be receiving it). In 2hrs a dial-up ISP in california, the University of New Hampshire, the Indiana University of Pennsylvania, Piglet.DisneyOnline.com, a verizon DSL node, and an adelphia cable modem node had all been shut down and cleaned. Soon as I recognized what was coming in, I traced the source IPs, called the contacts, and talked to their IT people. With the exception of Disney, all were quite co-operative, had their machines down with-in minutes of notification, and back up after cleaning the virus.

The nature of these Sobig virii/viruses are that they repeatedly hit the same addresses. Take a few seconds, look at the header, get the IP, look up the DNS, get the contact name, call and explain and you'll save yourself (and countless others) a lot of unnecessary hell.

-Ab

ps. that also explains why some of my posts this morning were a little bit ... 'tart'

Spoofs From: addresses too.

[rdewald]

I just got a bounce message (with the e-mail below attached) from an automated domain mail admin because it believed I was the sender of a so.big payload (to a user who has a full e-mailbox).

I don't use windows, so it's not coming from any of my boxes.

Here's the header and body text:

-----

Received: from HP ([141.154.241.155]) by mta02.mail.mel.aone.net.au
with ESMTP
id [20030819180952.SWCW5855.mta02.mail.mel.aone.net.a u@HP>
for [removed for /. post]; Wed, 20 Aug 2003 04:09:52 +1000
From: [removed for /.-- it was my valid email address]
To: [likewise removed]
Subject: Re: That movie
Date: Tue, 19 Aug 2003 14:10:02 --0400
X-MailScanner: Found to be clean
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="_NextPart_000_00FA8C46"
Message-Id:

This is a multipart message in MIME format

--_NextPart_000_00FA8C46
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

Please see the attached file for details.
--_NextPart_000_00FA8C46
Content-Type: application/octet-stream;
name="your_document.pif"
Content-Transfer-Encodin g: base64
Content-Disposition: attachment;
filename="your_document.pif"

-----

The your_document.pif was a binary of about 100k.

Re:It's a worm - blame the users!

[American+AC+in+Paris]

Let's not forget that this is a worm. It requires that a user launches the executable so it can infect the system.

A worm is a program that propagates itself over a network, reproducing itself as it goes. While this worm may require user intervention, there exist plenty of worms that do not (the most infamous being the Morris Worm.) A malicious program that masquerades as a legitimate application is a Trojan horse.

SoBig.F appears to be a Trojan with some worm-like qualities. Of course, in the world of Microsoft mail exploits, the lines are blurred, but a worm is generally not a user-launched process.

Pedantic, I know, but worms are a special interest of mine, and they generally take a fair bit more skill to create than your average Trojan horse.

OK, I'm getting tired of this "joke"

[Jugalator]

Yay for trustworthy computing.

MS jokes aren't innovative, but can still be fun, but not as fun if they aren't trying to relate to the truth very much. Read up about trustworthy computing and learn how it is a process that has barely taken off today, but is an effort that will show up more in Longhorn, etc. DRM and NGSCB are two technologies that have a lot to do with trustworthy computing that aren't even implemented in today's versions of Windows.

At 2002, MS said:

"It may take us ten to 15 years to get there, both as an industry and as a society."

Trustworthy computing is in many ways only at the concept stage this far.

Sure, one might wonder what's making them think it will take a time period as long as an outrageous 15 years to get these things straight and one might think DRM is Bill Gates' worst idea ever, but then one should comment about this instead. This may seem that I'm defending Microsoft, although I'm in this case just being annoyed by a joke I've seen numerous times before, and that must have been made up by some uninformed person.

Procmail Rule

[David+D]

Here is a decent procmail rule, probably not perfect.

:0
* > 100000
* < 120000
* ^Content-Type:.*multipart/mixed;
{
:0 B hfi
* ^Please see the attached zip file for details.
* ^Content-Disposition: attachment;
* ^Content-Transfer-Encoding: base64
* 9876543210^1 ^Content-(Type|Disposition):.*$.*name *= *"?(your_details|application|document|screensaver| movie)[0-9]*\.zip"?
* 9876543210^1 ^Content-(Type|Disposition):.*name *= *"?(your_details|application|document|document_Fal l|thank|screensaver|movie)[0-9]*\.zip"?
| formail -A "X-Content-Security: [$HOST] NOTIFY"
-A "X-Content-Security: [$HOST] QUARANTINE"
-A "X-Content-Security: [$HOST] REPORT: Trapped SoBig worm - http://securityresponse.symantec.com/avcenter/venc /data/w32.sobig.e@mm.html"
}

Re:Unix History

[__past__]

I have no idea what you are trying to say, but this is slashdot, so I'll reply anyway:

• Microsoft, cooperating with SCO, built the first Unix to run on Intel-compatible processors, called Xenix. That was before Windows. So I doubt that lack of Unix knowledge is a major reason for any of MS's mistakes.
• Compared to other systems of that time, the Unix security model was (and basically still is) piss-poor. And the implementations in the 80s were buggy as hell. It's just that Unix is way better than all the alternatives today (and there is only one non-Unix system left for most intents and purposes), and a huge amount of post-fact bugfixing and workarounds, that make it look good. In other words, it is true that Unix-like systems tend to be the most secure today, but that in itself is a tragedy.