[ISN] Sobig.E warning

From: InfoSec News (isnat_private)
Date: Thu Jun 26 2003 - 23:37:31 PDT

Next message: InfoSec News: "[ISN] I Don't Care if You're the Richest Guy in the World"

Previous message: InfoSec News: "[ISN] Cyber security chief sees 'business approach' at DHS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rsladeat_private>

I am, today, seeing an absolute flood of messages infected with the
Sobig.E worm.  It may be an anomaly, but the numbers I am seeing in my
own mail would seem to warrant some kind of warning.

Sobig spoofs message headers, so the email will appear to come from a legitimate 
address.  Most of the subject lines that I have received are "Re: Application": I've 
also received one "Re: Movie."  The body is always (in the ones I've received) 
"Please see the attached zip file for details."  The raw message size is always 
110K.  All of the messages I have received carry an attached file named 
"your_details.zi": note that the trailing "p" is missing.  This version carries a file 
named details.pif.  Note that two of the antivirals that I have run do *not* 
recognize the virus in the compressed form (your-details.zi) although they do 
recognize the executable file (details.pif).  I have also received a bounce message 
as a result of an infected message spoofed with my email address: this indicates 
that at least one email scanner does catch the infected message in the compressed 
form.  The MIME info in the message is as follows (and may be presented 
differently by different mailers):
--CSmtpMsgPart123X456_000_00C72C65
Content-Type: application/x-zip-compressed;
	name="your_details.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
	filename="your_details.zi"


Note that Sobig is primarily a worm: it spreads through network shares.  (I can't 
see anyone dumb enough to rename the file, extract the contents, then run the 
executable and infect themselves ... no, wait, I *can* see people being dumb 
enough to do that ...)

At any rate, I'm seeing significant numbers this morning, and thought a heads-up 
would be a good idea.  More info can be found at 
http://www.f-secure.com/v-descs/sobig_e.shtml and 
http://www.sophos.com/virusinfo/analyses/w32sobige.html

======================  (quote inserted randomly by Pegasus Mailer)
rsladeat_private      sladeat_private      rsladeat_private
Vikings?  There ain't no vikings here.  Just us honest farmers.
The town was burning, the villagers were dead.  They didn't need
those sheep anyway.  That's our story and we're sticking to it.
                                                      - Dan Sorenson
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoat_private with 'unsubscribe isn'
in the BODY of the mail.

Next message: InfoSec News: "[ISN] I Don't Care if You're the Richest Guy in the World"
Previous message: InfoSec News: "[ISN] Cyber security chief sees 'business approach' at DHS"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jun 27 2003 - 01:49:08 PDT