Sobig.F

[Howell]

A new variant of Sobig, known as Sobig.F was first found on August 19th, 2003 and it is spreading in the wild.

Windows e-mail worm Sobig.F, which is currently the most widespread worm in the world, has created massive e-mail outages globally since it was found on Tuesday the 18th of August – four days ago. The worm spreads itself via infected e-mail attachments in e-mails with a spoofed sender address. Total amount of infected e-mails seen in the Internet since this attack started is close to 100 million.

However, the Sobig.F worm has a surprise attack in its sleeve.

http://www.f-secure.com/v-descs/sobig_f.shtml

Sobig.F activates on Friday the 22nd of August at 19:00 UTC. For information on this, please see:
http://www.f-secure.com/news/items/news_2003082200.shtml

 

[SteveC]

Feared Attack From Computer Virus Fizzles

A feared Internet attack resulting from a fast-spreading computer virus fizzled Friday, as security officials said they contained it by identifying and blocking computers key to coordinating it.

Instructions written into the latest version of the "Sobig" virus, which began appearing Tuesday, called for infected Windows machines to try to download a program that, until the attack began at 3 p.m. EDT Friday, had an unknown function.

Experts feared the program could have deleted files, stolen passwords or created rogue e-mail servers for spreading junk e-mail.

But Vincent Weafer, security director with Symantec Security Response, said that when the appointed time came, all the virus did was visit a pornography site.

 

[Mercutio]

My customers are behind the times. I'm still getting assloads of calls about LOVESAN.

 

[Howell]

F-Secure
Update on 19:00 UTC

When deadline for the attack was passed, one machine was still (somewhat) up. However, immediately after the deadline, this machine (located in the USA) was totally swamped under network traffic.

We've tried connecting to it, just like the virus does. We do this from three different sensors from three different machines in three different countries. We haven't been able to connect to it once. If we can't connect, neither can the viruses.

So the attack failed. Whoa.

We'll keep monitoring until 22:00 UTC. If we're not able to connect once, we can safely say that the attack was prevented.

 

[e_dawg]

My biggest fear is that all the ignorant (or careless) folks who have my e-mail address in their address books will be hit with virii and/or worms that will mass e-mail everyone on their contact list (or maybe it will just send the contents of the contact list back home, along with other personal info it can get its hands on). Either way, my e-mail address will be spread across the Net in the process, eventually finding its way onto mailing lists... the endless procession of spam will begin. There goes another perfectly good e-mail address (and possibly domain name in the process).

 

[Pradeep]

Wierd thing. I ran AVG 6.0 on the laptop the other day and it detected OPEN_ME.EXE in two directories. Now I have it scan all emails and I Outlook 2K won't let me open executable attachements anyway. I'm wondering if I got it via the blaster backdoor before I patched (even though I never had the shutdown on startup problem)?

Oh yeah, I ran Windows Update and installed all of the updates it recommended, now my Windows (Luna?) theme lacks the window minimize/closs buttons etc. I had to back to Classic to see all the frames again. XP login box looks crazy. Anyone had this problem? And my printer no longer prints from the GUI, XP sees it but won't send jack shit. Can print from the command prompt tho.

Sigh, time to reinstall. Perhaps Server 2003.