19 August 2003 - New Microsoft E-Mail Virus - W32/Sobig.F-mm

Marc

Hunkered Down for the Duration
Staff member
Admin
#1
If you're being barraged with Microsoft virus spam emails today, this story notes that it's a flare-up of an older Microsoft virus in a new, improved form. Yay for trustworthy computing. Discuss at: http://slashdot.org/article.pl?sid=...=flat&tid=109&tid=111&tid=126&tid=128&tid=187

World squirms as Sobig returns

http://news.com.com/2100-1002_3-5065494.html

By CNETAsia Staff
Special to CNET News.com
August 19, 2003, 8:47 AM PT

The Sobig e-mail virus that caused havoc two months ago has reappeared in a virulent new form, according to e-mail service provider MessageLabs.

The company has given the virus a high-level alert statusbecause of its rapid spread.

The new worm, code-named W32/Sobig.F-mm, appeared Monday, according to the company. All copies came from the United States. So far, the worm has been active in the United States, Denmark and Norway. Anecdotal evidence suggests that it has also spread to Asia-Pacific.

MessageLabs on Tuesday reported that 21 percent of cases were in the United Kingdom. The Sophos Web site indicated that the antivirus company had received "many reports of this worm from the wild."

"Initial analysis would suggest that Sobig.F is a mass-e-mailing virus that is spreading very vigorously. Sobig.F appears to be polymorphic in nature. The address is also spoofed and may not indicate the true identity of the sender," a MessageLabs statement said.

The sender appears to be someone from a recognized domain name, such as ibm.com, zdnet.com or microsoft.com. The subject line typically says "Re: Details," "Resume" or "Thank you."

Attachment names may include: your_document.pif, details.pif, your_details.pif, thank_you.pif, movie0045.pif, document_Fall.pif, application.pif, and document_9446.pif.

The virus grabs e-mail addresses from several different locations on a computer, including the Windows address book and Internet cache, and sends e-mails to each one. The virus also forges the source of the message using a randomly selected e-mail address so that the infected message appears to come from someone else.

Sobig.E is more efficient than previous versions of the virus in sending e-mail addresses, according to MessageLabs' analysis, because the e-mail engine that it uses to send e-mail is "multithreaded." While earlier versions of the virus had to wait for a task, or thread, to be completed, Sobig.E can send multiple e-mails concurrently, making it a much more efficient spam engine.

In an attempt to bypass local antivirus security, the file size varies on each generation by appending rubbish to the end of the file but is on average about 74KB, according to MessageLabs.

CNETAsia staff reported from Singapore. CNET News.com's Robert Lemos contributed to this report.
 
Elsmar Forum Sponsor

Marc

Hunkered Down for the Duration
Staff member
Admin
#2
Sobig.f prevention and cure
By Robert Vamosi

http://reviews.cnet.com/4520-6600_7-5065445.html?tag=cnetfd.sd

This worm tries to disguise itself from antivirus apps

(8/19/03)

Yet another member of the Sobig virus family is loose. Sobig.f ([email protected]) spreads via e-mail and shared network files and could slow e-mail servers with excessive traffic, so it rates a 7 on the CNET Virus Meter. This worm affects only Windows computers, not Mac, Linux, or Unix systems. Like its siblings, Sobig.f has a built-in termination date, September 10, 2003, and can attempt to retrieve, download, and finally execute a Trojan to steal credit card numbers and other personal account information. But Sobig.f differs in that it appends garbage characters to the end of the infected file, making it harder for antivirus products to recognize Sobig.f.

How it works
Sobig.f arrives as an e-mail with the following characteristics:

The From and To addresses are collected from infected PCs, from files ending with the extensions .dbx, .eml, .htm, .html, .txt, and .wab.

The Sobig.f subject line reads:

* Re: Details
* Re: Approved
* Re: Re: My details
* Re: Thank you!
* Re: That movie
* Re: Wicked screensaver
* Re: Your application
* Thank you!
* Your details

Its body text reads:

* See the attached file for details
* Please see the attached file for details.

The file attached to Sobig.f is:

* application.zip
* details.zip
* document_9446.zip
* document_all.zip
* movie0045.zip
* thank_you.zip
* your_details.zip
* your_document.zip
* wicked_scr.zip

When executed, the worm will add the following to the system registry:

[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TrayX" = %windir%\winppr32.exe /sinc
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "TrayX" = %windir%\winppr32.exe /sinc

Prevention
In general, do not open e-mail attachments without first saving them to hard disk and scanning them with updated antivirus software. If you do not have automatic antivirus signature file updates, contact your antivirus vendor to obtain the most-current antivirus signature files that include Sobig.f.

Removal
Most antivirus-software companies have updated their signature files to include this worm. The updates will stop the infection upon contact and, in some cases, will remove an active infection from your system. For more information, see Central Command, Computer Associates, F-Secure, McAfee, MessageLabs, Norman, Panda, Sophos, Symantec, and Trend Micro.
 

Atul Khandekar

Quite Involved in Discussions
#3
I received at least 30 mails containing this virus since today evening. :( (last 5 hours or so). I think it can infect your PC only if you click on the .pif/.scr file attached.
 

Mike S.

Happy to be Alive
Trusted Information Resource
#4
Marc said:
Yay for trustworthy computing.

This worm affects only Windows computers, not Mac, Linux, or Unix systems.
Do viruses, worms, hackers, etc. never attack Mac, Linux, or Unix systems? (I really don't know.) If not, why? Is it because they are impossible to attack or that so few people use them they aren't worth the attacker's effort as they won't get famous?
 

Atul Khandekar

Quite Involved in Discussions
#5
Mike S. said:
Do viruses, worms, hackers, etc. never attack Mac, Linux, or Unix systems? (I really don't know.) If not, why? Is it because they are impossible to attack or that so few people use them they aren't worth the attacker's effort as they won't get famous?
It's probably both !! :) :)
 
B

Bob_M

#6
Mike S. said:
Do viruses, worms, hackers, etc. never attack Mac, Linux, or Unix systems? (I really don't know.) If not, why? Is it because they are impossible to attack or that so few people use them they aren't worth the attacker's effort as they won't get famous?
I believe most people that CAN setup linux/unix systems from scratch know how to properly protect their systems from the rest of the world. Us Microshaft users are typically plug and play and good old bill appearantely doesn't not protect MS by default, and would rather have us upgrade to the newest version (which is the safest ever blah blah), than fix the holes. Don't get me wrong, I'm an MS user, because I wan't plug and play computers, but I also like to tweak. *shrug*
 

Marc

Hunkered Down for the Duration
Staff member
Admin
#7
Mike S. said:
Do viruses, worms, hackers, etc. never attack Mac, Linux, or Unix systems? (I really don't know.) If not, why? Is it because they are impossible to attack or that so few people use them they aren't worth the attacker's effort as they won't get famous?
There are a number of theories - almost all are based upon the % userbase.

From: http://books.slashdot.org/article.p...d=107&tid=126&tid=172&tid=185&tid=187&tid=190

Not flame : Mac OS9 100% secure not OSX (Score:2, Interesting)
by Anonymous Coward on Tuesday August 19, @01:35PM (#6735082)
This valuable post in a larger form was recently downrated a flame by a linux zealot so I repost it here in verycondensed form with nothing but DATA and Informative post info. There is no reason to moderate down informative posts. To not be termed a "flame" I request that no one reply to my post. therefore it is not a troll by the DEFINITION of "troll".

It is a concrete fact that that no MacOS based webserver has ever been hacked into in the history of the internet.

The MacOS running WebStar and other webservers as has never been exploited or defaced, and are are unbreakable based on ample historical evidence.

In fact in the entire SecurityFocus (BugTraq) database history there has never been a Mac (classic Mac OS) exploited over the internet remotely. Scan it yourself, though I believe an uncommon 3rd party mac product from 1995 or so had one exploit.

I am not talking about FreeBSD derived MacOS X (which already had a more than a 35 exploits and potential exploits in BugTraq) I am talking about current Mac OS 9.x and earlier which are highly sophisticated abstract-OS models.

Why is is hack proof? These reasons :

1> No command shell. No shell means no way to hook or intercept the flow of control with many various shell oriented tricks found in Unix or NT. Apple uses an object model for procces to process communication that is heavily typed and "pipe-less"

2> No Root user. All mac developers know their code is always running at root. Not hing is higher (except undocumented microkernel stufff where you pass Gary Davidians birthday into certain registers and make a special call). By always being root there is no false sense of security, and programming is done carefully.

3> Pascal strings. ANSI C Strings are the number one way people exploit Linux and Wintel boxes. The mac avoids C strings historically in most of all of its OS. In fact even its roms originally used Pascal strings. As you know pascal strings are faster than C (because they have the length delimiter in the front and do not have to endlessly hunt for NULL), but the side effect is less buffer exploits. Individual 3rd party products may use C stings and bind to ANSI libraries, but many do not. In case you are not aware of what a "pascal string" is, it usually has no null byte terminator.

4> Macs running Webstar have ability to only run CGI placed in correct directory location and correctly file "typed" (not mere file name extension). File types on Macs are not easily settable by users, expecially remotely. Apache as you know has had many problems in earlier years preventing wayward execution.

5> Macs never run code ever merely based on how a file is named. ".exe" suffixes mean nothing! For example the file type is 4 characters of user-invisible attributes, along with many other invisible attributes, but these 4 bytes cannot be set by most tool oriented utilities that work with data files. For example file copy utilities preserve launchable file-types, but JPEG MPEG HTML TXT etc oriented tools are physically incapable by designof creating an executable file. The file type is not set to executable for hte hackers needs. In fact its even more secure than that. A mac cannot run a program unless it has TWO files. The second file is an invisible file associated with the data fork file and is called a resource fork. EVERY mac program has a resource fork file containing launch information. It needs to be present. Typically JPEG, HTML, MPEG, TXT, ZIP, C, etc are merely data files and lack resource fork files, and even if the y had them they would lack launch information. but the best part is that mac web programs and server tools do not create files with resource forks usually. TOTAL security.

6> Stack return address positioned in s afer location than some intel OSes. Buffer exploits take advantage of loser programmers lack of string length checking and clobber the return address to run thier exploit code instead. The Mac compilers usually place return address in front or out out of context of where the buffer would overrun. Much safer.

7> There are less macs, though there are huge cash prizes for cracking into a MacOS based WebStar server (typically over $10,000 US). Less macs means less hacker interest, but there are MILLIONS of macs sold, and some of the most skilled programmers are well versed in systems level mac engineering and know of the cash prizes, so its a moot point, but perhaps macs are never kracked because there appear to be less of them. (many macs pretend they are unix and give false headers to requests to keep up the illusion, ftp http, finger, etc). But some huge high performance sites use load-balancing webstar. Regardless, no mac has ever been rooted in history of the internet, except with a strange 3rd party tool i n 1995.

8> MacOS source not available traditionally, except within apple, similar to Microsoft source only available to its summer interns and engineers, source is rare to MacOS. This makes it hard to look for programming mistakes, but I feel the restricted source access is not the main reasons the MacOS has never been remotely broken into and exploited.

Sure a fool can install freeware and shareware server tools and unsecure 3rd party addon tools for e-commerce, but a mac (MacOS 9) running WebStar is the most secure web server possible and webstar offers many services as is.

One 3rd party tool created the only known exploit backdoor in mac history and that was back in 1995 and is not, nor was, a widely used tool. I do not even know its name. From 1995 to 2002 not one macintosh web server on the internet has been broken into or defaced EVER. Other than that event ages ago in 1995, no mac web server has ever been rooted, defaced, owned, scanned, exploited, etc.
 

Marc

Hunkered Down for the Duration
Staff member
Admin
#8
Atul Khandekar said:
I received at least 30 mails containing this virus since today evening. :( (last 5 hours or so).
SpamCop has caught over 200 today so far. None have gotten through - not that it would matter to me if one did.
 

Atul Khandekar

Quite Involved in Discussions
#9
Obviously, my email provider does not have any virus protection installed. I noticed there were zero virus emails on my hotmail / yahoo accounts. (there are about a hundred other spam mails though :( )
 
#10
Atul Khandekar said:
I received at least 30 mails containing this virus since today evening. :( (last 5 hours or so). I think it can infect your PC only if you click on the .pif/.scr file attached.
In this case, yes. Unfortunately, some viruses are perfectly able to infect you as soon as you open the mail they are attached to. A word of warning in that case:

If your mail client has the ability to display a preview of the mail contents: Turn that feature off! It enables such viruses to run.

/Claes
 
Thread starter Similar threads Forum Replies Date
P Ford APQP Guideline - Is Release Level: 3.2, August 2003 current/up-to date? Customer and Company Specific Requirements 2
Sidney Vianna IATF 16949 News Latest news from IATF - August 2020 IATF 16949 - Automotive Quality Systems Standard 1
M Informational MDCG 2019-9 Summary of safety and clinical performance A guide for manufacturers and notified bodies – August 2019 Medical Device and FDA Regulations and Standards News 0
Watchcat Four NBs now designated under the MDR - August 2019 EU Medical Device Regulations 7
L VDA 1 Documented Information and Retention (new revision 4, August 2018) VDA Standards - Germany's Automotive Standards 0
A MedMMAP Article - August 2018 MedAccred Industry Group Program 0
Marc Have you Lost some "Points"? (16 August 2018) Forum News and General Information 4
BradM Hurricane Harvey - Texas - August 2017 - Any South Texas Friends out there? Coffee Break and Water Cooler Discussions 10
Marc Solar Eclipse in the US on 21 August 2017 Coffee Break and Water Cooler Discussions 11
Marc Gene Wilder dead at 83 - August 2016 World News 6
Hershal Fire disaster in Southern California (Blue Cut fire) - August 2016 Coffee Break and Water Cooler Discussions 22
M Revision of INMETRO Portaria 350 - August 2014 Other Medical Device Regulations World-Wide 2
R FDA released three guidance documents for Medical Devices - August 2014 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 1
Marc August - September 2013 - Elsmar Stats Forum News and General Information 15
2 Medical Device Trends - August 2013 Book, Video, Blog and Web Site Reviews and Recommendations 1
Marc CMM Training at NIST - August 28-29, 2013 General Measurement Device and Calibration Topics 1
S Updated FDA's List of Recognised Standards - August 2012 21 CFR Part 820 - US FDA Quality System Regulations (QSR) 2
D AS 9101 Rev E Draft is out - August 2012 AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 18
Ronen E New Establishment Registration and Device Listing Rule - August 2012 Other US Medical Device Regulations 32
Marc 6 August 1991 - First page on the World Wide Web publicly available After Work and Weekend Discussion Topics 0
T It is Audit Week... August 2010 General Auditing Discussions 31
somashekar Independence Day - India - August 15th Coffee Break and Water Cooler Discussions 8
SteelMaiden In today's headlines.... August 2010 Coffee Break and Water Cooler Discussions 15
Stijloor AIAG MSA 4th Edition Workshop - August 19, 2010 Gage R&R (GR&R) and MSA (Measurement Systems Analysis) 2
Ajit Basrur FY 2011 MDUFMA document issued on August 2, 2010 US Food and Drug Administration (FDA) 1
D AMS5062H is now "Noncurrent" as of August 2009 AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 3
bio_subbu ISO Standards updates between July to August 2009 Other ISO and International Standards and European Regulations 2
Marc Apple Releases OS X 10.6 - Snow Leopard - 28 August 2009 After Work and Weekend Discussion Topics 12
Marc Teddy Kennedy - RIP - 26 August 2009 World News 0
Stijloor Toyota SQAM Issue 4K, August, 2009 Now Available. Supplier Quality Assurance and other Supplier Issues 2
P Is it true? Mars closer to Earth in August Coffee Break and Water Cooler Discussions 8
Kales Veggie Ford has issued a new CSR dated August 2008 and CQI 9 / W-HTX checklist Customer and Company Specific Requirements 15
Sidney Vianna SAE OASIS Database - August 2018 Status AS9100, IAQG, NADCAP and Aerospace related Standards and Requirements 17
Hershal APLAC News Notes August 2006 on-line World News 0
A Need Information - FDA Silver or Gray Sheets - August or September '06 ISO 13485:2016 - Medical Device Quality Management Systems 1
Marc On August 12, 1981, IBM released the IBM PC 5150 - 25 Years Ago! After Work and Weekend Discussion Topics 0
Marc Major Alaskan oil field shutting down - August 2006 World News 12
Marc More air passengers getting bumped - August 2006 Travel - Hotels, Motels, Planes and Trains 6
Hershal Anyone going to NCSLI August 6-10 in Nashville? General Measurement Device and Calibration Topics 2
Marc Registered User Article Poll - August 2004 Registered Visitor Articles Archive 1
S FDIS 14001 & 14004 has been issued by the ISO/CS on August 12, 2004 for a vote ISO 14001:2015 Specific Discussions 1
R We Need August Articles! Don't be shy! This almost like 'really being published'! Registered Visitor Articles Archive 6
Marc US TAG176 Press Release - 12 August 1999 ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 0
A Does ISO 9001:2015 cover all the requirements of ISO 10012:2003? ISO 9000, ISO 9001, and ISO 9004 Quality Management Systems Standards 6
E ASTM F2118 - Fatigue testing of bone cement - Changes between the 2003 and the 2014? Other Medical Device Related Standards 1
H Can a calibration lab still use ISO 6789:2003 as guide for torque calibrations Other ISO and International Standards and European Regulations 1
C Updates on Documentation for outsourced OEM from ISO 13485:2003 to ISO 13485:2016 ISO 13485:2016 - Medical Device Quality Management Systems 4
Q ASQ/ANSI Z1.4–2003 (R2018) Change Log? Various Other Specifications, Standards, and related Requirements 2
L Need HELP with Internal Audit Program ISO 13485.2003 Quality Management System (QMS) Manuals 3
A ISO 13485:2003 vs ISO 13485:2016 - What are the differences between the two? ISO 13485:2016 - Medical Device Quality Management Systems 1

Similar threads

Top Bottom