[ISN] More Sobig.F

From: InfoSec News (isnat_private)
Date: Fri Aug 22 2003 - 01:41:33 PDT

  • Next message: InfoSec News: "[ISN] Police deny China hacking rumor"

    Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rsladeat_private>
    
    Sobig load is increasing: over the past 15 hours I've received 52 copies in my 
    inbox, up from yesterday's 47 in 20 hours (and, as previously noted, well 
    exceeding the previous record for Klez at its height).  (On the slightly bright side, 
    spammers seem to have been affected: other spam seems slightly down today  :-)
    
    As noted, Sobig uses its own SMTP engine, and spoofs both the From and Return-
    Path headers on a random basis, so that is no indication.  Most subject lines I have 
    received have been:
    Your details
    Re: Re: My details
    Thank you!
    Re: Thank you!
    Re: That movie
    Re: Your application
    Re: Approved
    Re: Wicked screensaver
    
    Others may be found in the lists and detailed descriptions at the URLs below.
    
    However, the message body is always "Please see the attached file for details." so 
    that is a reliable indicator.  In addition, I've had a look at more headers, and the 
    following two seem to appear in every copy I've received:
    
    X-MailScanner: Found to be clean
    
    X-Mailer: Microsoft Outlook Express 6.00.2600.0000
    
    Once again, *PLEASE* spread the word: DO NOT OPEN ATTACHMENTS.  If 
    in doubt, don't.  Sobig uses no special technology beyond this rather simplistic 
    social engineering.  (Can anyone tell me: is there any content scanner lazy enough 
    to be bypassed by the X-MailScanner header?)
    
    http://www.sophos.com/virusinfo/analyses/w32sobigf.html
    http://www.f-secure.com/v-descs/sobig_f.shtml
    
    ======================  (quote inserted randomly by Pegasus Mailer)
    rsladeat_private      sladeat_private      rsladeat_private
    If you like laws and sausage, you should never watch either being
    made.                                            - Otto von Bismarck
    http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Aug 22 2003 - 05:10:06 PDT