Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft Virus Spam: SoBig.F

Posted by michael on from the trustworthy-computing dept.

If you're being barraged with Microsoft virus spam emails today, this story notes that it's a flare-up of an older Microsoft virus in a new, improved form. Yay for trustworthy computing.

10 of 557 comments (clear)

  1. Thank you Spamassassin by Gothmolly · · Score: 5, Informative

    If you set your score for MICROSOFT_EXECUTABLE high enough, and these emails with their .pif attachments get sent right to /dev/null

    --
    I want to delete my account but Slashdot doesn't allow it.
    1. Re:Thank you Spamassassin by Uggy · · Score: 4, Informative

      Don't need spamassassin for this. If you are using qmail-scanner just set your quarantine-attachments.txt in /var/spool/qmailscan/ like so:

      .exe 0 EXE attachements not allowed
      .vbs 0 VBS attachements not allowed
      .lnk 0 LNK attachements not allowed
      .pif 0 PIF attachements not allowed
      .com 0 PIF attachements not allowed
      .scr 0 SCR attachements not allowed
      .bat 0 BAT attachements not allowed

      Make sure whitespace between the columns is a tab and not spaces. Then rerun your qmailscanner db update and you're good to go.

      Spamassassin is WAY to intelligent to be feeding it filename extensions. This is a lot faster too.

      Are there any other extensions that would be good to block?

      --
      Toddlers are the stormtroopers of the Lord of Entropy.
    2. Re:Thank you Spamassassin by Anonymous Coward · · Score: 5, Informative

      We filter these at the mail server:

      *.com, *.exe, *.bat, *.vbs, *.vbe, *.js, *.jse, *.hta, *.wsf, *.wsh, *.shs, *.scr, *.pif, *.lnk, *.chm

      All are potential vectors.

      http://antivirus.about.com has a bigger list of suspicious attachment types. Some are document types, but others are just special executable types in Windows, such as .chm files, which are compiled help files.

      It isn't these *have been* exploited by virus writers (though many have), but rather that they *could be*, because of their nature. I would never filter all of them, but I've gotta admit after scanning the list, most of these would be surprising to me to find in an email.

      ADE Microsoft Access Project Extension
      ADP Microsoft Access Project
      BAS Visual Basic Class Module
      BAT Batch File
      CHM Compiled HTML Help File
      CMD Windows NT Command Script
      COM MS-DOS Application
      CPL Control Panel Extension
      CRT Security Certificate
      DLL Dynamic Link Library
      DO* Word Documents and Templates
      EXE Application
      HLP Windows Help File
      HTA HTML Applications
      INF Setup Information File
      INS Internet Communication Settings
      ISP Internet Communication Settings
      JS JScript File
      JSE JScript Encoded Script File
      LNK Shortcut
      MDB Microsoft Access Application
      MDE Microsoft Access MDE Database
      MSC Microsoft Common Console Document
      MSI Windows Installer Package
      MSP Windows Installer Patch
      MST Visual Test Source File
      OCX ActiveX Objects
      PCD Photo CD Image
      PIF Shortcut to MS-DOS Program
      POT PowerPoint Templates
      PPT PowerPoint Files
      REG Registration Entries
      SCR Screen Saver
      SCT Windows Script Component
      SHB Document Shortcut File
      SHS Shell Scrap Object
      SYS System Config/Driver
      URL Internet Shortcut (Uniform Resource Locator)
      VB VBScript File
      VBE VBScript Encoded Script File
      VBS VBScript Script File
      WSC Windows Script Component
      WSF Windows Script File
      WSH Windows Scripting Host Settings File
      XL* Excel Files and Templates

  2. heh by abhisarda · · Score: 4, Informative

    Just read about about it on the BBC

  3. This software will help if you got the virus by joeykiller · · Score: 5, Informative

    I should have mentioned this in my last post... if you've got the SoBig.F virus, FSecure has posted a free fix here.

    ftp://ftp.f-secure.com/anti-virus/tools/f-sobig.ex e

  4. hmm by cetan · · Score: 5, Informative

    I'm interested to see if is updated to include info on -f. the -e article was a good eye-opener.

    --
    In Soviet Russia...michael would be rotting in Siberia!
  5. Re:Block Attachments on Exchange? by gregarican · · Score: 5, Informative
    There are command line utils in Exchange 5.5 that can help delete these attachments totally. Look on the installation CD for details.

    Starting with Office XP you'll see that Outlook automatically blocks attachments ending in PIF, BAT, EXE, etc. This is an absolute that can only be modified through admin policies out in an Exchange folder.

    If you are looking for this type of deal I *think* Outlook 2000 has a service pack that installs the attachment blocking.

    Hope this helps!

  6. Re:It's a worm - blame the users! by American+AC+in+Paris · · Score: 4, Informative
    Let's not forget that this is a worm. It requires that a user launches the executable so it can infect the system.

    A worm is a program that propagates itself over a network, reproducing itself as it goes. While this worm may require user intervention, there exist plenty of worms that do not (the most infamous being the Morris Worm.) A malicious program that masquerades as a legitimate application is a Trojan horse.

    SoBig.F appears to be a Trojan with some worm-like qualities. Of course, in the world of Microsoft mail exploits, the lines are blurred, but a worm is generally not a user-launched process.

    Pedantic, I know, but worms are a special interest of mine, and they generally take a fair bit more skill to create than your average Trojan horse.

    --

    Obliteracy: Words with explosions

  7. Procmail Rule by David+D · · Score: 4, Informative

    Here is a decent procmail rule, probably not perfect.

    :0
    * > 100000
    * < 120000
    * ^Content-Type:.*multipart/mixed;
    {
    :0 B hfi
    * ^Please see the attached zip file for details.
    * ^Content-Disposition: attachment;
    * ^Content-Transfer-Encoding: base64
    * 9876543210^1 ^Content-(Type|Disposition):.*$.*name *= *"?(your_details|application|document|screensaver| movie)[0-9]*\.zip"?
    * 9876543210^1 ^Content-(Type|Disposition):.*name *= *"?(your_details|application|document|document_Fal l|thank|screensaver|movie)[0-9]*\.zip"?
    | formail -A "X-Content-Security: [$HOST] NOTIFY"
    -A "X-Content-Security: [$HOST] QUARANTINE"
    -A "X-Content-Security: [$HOST] REPORT: Trapped SoBig worm - http://securityresponse.symantec.com/avcenter/venc /data/w32.sobig.e@mm.html"
    }

  8. Re:Unix History by __past__ · · Score: 4, Informative
    I have no idea what you are trying to say, but this is slashdot, so I'll reply anyway:

    • Microsoft, cooperating with SCO, built the first Unix to run on Intel-compatible processors, called Xenix. That was before Windows. So I doubt that lack of Unix knowledge is a major reason for any of MS's mistakes.
    • Compared to other systems of that time, the Unix security model was (and basically still is) piss-poor. And the implementations in the 80s were buggy as hell. It's just that Unix is way better than all the alternatives today (and there is only one non-Unix system left for most intents and purposes), and a huge amount of post-fact bugfixing and workarounds, that make it look good. In other words, it is true that Unix-like systems tend to be the most secure today, but that in itself is a tragedy.
    --
    Programming can be fun again. Film at 11.