New Sobig variant spreading extremely rapidly

[Eirik Amundsen]

There is a new Sobig variant spreading extremely rapidly. Norman seem to be
the first antivirusprogram that detects it:
http://www.norman.com/virus_info/w32_sobig_f_mm.shtml

Best,
Eirik

 

[Frequent_Flyer]

Norton did a auto-update at 4:55am EST.

FF

--
"My reading of history convinces me that most bad government results from
too much government." -- Thomas Jefferson

There is a new Sobig variant spreading extremely rapidly. Norman seem
to be the first antivirusprogram that detects it:
http://www.norman.com/virus_info/w32_sobig_f_mm.shtml

Best,
Eirik

I don't think the first.. my F-Prot has been updated for this for the
last few hours =)



Regards,

Ian

--
Ian.H [Design & Development]
digiServ Network - Web solutions
www.digiserv.net | irc.digiserv.net | forum.digiserv.net
Programming, Web design, development & hosting.

 

[BoB]

Norton did a auto-update at 4:55am EST.

FF

My spam drop box is on the ball:
__________________________
From: Virus Scanning Agent <[email protected]>
Date: Tue, 19 Aug 2003 15:39:51 -0600

User (e-mail address removed)01.com tried to send you a message
containing the W32/Sobig.F@mm virus.

The infected message has been returned to the sender with a notice
that it was infected.
___________________________

An alert from ETrust said their latest update covers the email worm
Win32.Sobig.F

Alias: I-Worm.Sobig.f (Kaspersky) ,
W32.Sobig.F@mm (Symantec),
W32/Sobig.F (F-Secure),
W32/Sobig.f@MM (McAfee),
WORM_SOBIG.F (Trend)

The worm is coded to stop replicating as of 10th September 2003.

BoB

 

[FromTheRafters]

I don't think the first.. my F-Prot has been updated for this for the
last few hours =)

Why is this worm spreading so rapidly? Are stupid people
attaining faster reaction times these days?

 

[Gabriele Neukam]

On that special day, FromTheRafters, ([email protected]) said...

Why is this worm spreading so rapidly? Are stupid people
attaining faster reaction times these days?

Apart from Bart's sordid explanation, there is an even worse one.
Sobig.F is sending itself multithreaded, i.e. similar to some FTP
programs that pull from several servers at one time, to increase the
download rate.

I don't know how to do an multiple upload at your ISP, but it must be
the cause why I could get twenty mails from 24.174.x.y from Aug 20th,
00:38h am until Aug 20th, 01:12h am.


Gabriele Neukam

(e-mail address removed)

 

[FromTheRafters]

On Tue, 19 Aug 2003 17:16:57 GMT, "Frequent_Flyer" [snip]

My spam drop box is on the ball:
[snip]

The infected message has been returned to the sender with a notice
that it was infected.

How does this "on the ball" service determine who the
sender is?

I assume they return to sender, which is normally faked, but as
long as I don't have to waste my time checking it out, that's not
my concern. In those cases where a stolen email address was used,
the sender gets notified they 'may' be infected, if their machine
was actually used to send the email, so some returns may be of value.

The majority of users getting sent these notices are not the ones
that actually sent the e-mail. These "on the ball" services are not
helping at all if they send notices to the faked sender. They are
clogging up the mail servers with good intentioned but ill advised
notices.

....not my idea of "on the ball" at all.

 

[FromTheRafters]

[snip]

I agree but it's their decision, since they own the free service.

Received five more this morning. Two were the same subject:
'Wicked screensaver', from (e-mail address removed) and
(e-mail address removed), 90 minutes later. All were received between
1:30 and 3:30 a.m.

Oh well, Sept 10th is coming.

....and so is Sobig.g...h...i...j...etc...