On Tue, 19 Aug 2003, Kuo, Jimmy wrote: > Yes. Another one. :-( > > I haven't had 10 free minutes to write to CRIME about this. I actually > started one about 10AM, but my wireless cut out (someone around me has a > 2.4MHz phone, I'm sure). > > We are just right now, raising our Risk Assessment to HIGH for Home Users on > this virus. Corporate users have the ability to block .PIF and .SCR and > many have done so from the previous SoBigs. But home users continue to > click on attachments. :-( I am not certain which is worse. The virus or all the anti-virus programs spitting out warnings that it saw a virus. So far I have gotten HUNDREDS of anti-virus warnings sent to practically every mailing list I am on. It is actually out numbering the spam I get at this point! (As well as the actual copies of the virus. I might have gotten one or two, but that is about it.) Sending out virus warnings to senders is really a bad idea unless varified by a clued human. Anything else is just plain annoying behaviour. > Here's our page: > > http://vil.nai.com/vil/content/v_100561.htm > > -----Original Message----- > From: Jim Wood > To: crime@private > Sent: 8/19/03 1:34 PM > Subject: CRIME SOBIG ADVISORY > > > FYI- > > > Network traffic is up due to the SOBIG worm today. Numerous reports > from security sites, as well as network admins around the country are > reporting the attachment coming in as a .pif attachment to their email > clients. > > The following information is from Symantec, just thought I would pass it > along in the interest of being pro-active in the shadow of the last > mess. > > **********************************START > DOCUMENT**************************** > > Symantec Security Response http://securityresponse.symantec.com > W32.Sobig.F@mm > Discovered on: August 19, 2003 > Last Updated on: August 19, 2003 09:24:02 AM > > Due to the number of submissions received from customers, Symantec > Security Response has upgraded this threat to a Category 3 from a > Category 2 threat. > W32.Sobig.F@mm is a mass-mailing, network-aware worm that sends itself > to all the email addresses that it finds in the files with the following > extensions: > > > .dbx > .eml > .hlp > .htm > .html > .mht > .wab > .txt > > The worm utilizes it's own SMTP engine to propagate and will attempt to > create a copy of itself on accessible network shares. > > Email Routine Details > The email message has the following characteristics: > > From: Spoofed address (which means that the sender in the "From" field > is most likely not the real sender). > The worm may use the address admin@private as the sender. > > Subject: > Re: Details > Re: Approved > Re: Re: My details > Re: Thank you! > Re: That movie > Re: Wicked screensaver > Re: Your application > Thank you! > Your details > > Body: > See the attached file for details > Please see the attached file for details. > > Attachment: > your_document.pif > document_all.pif > thank_you.pif > your_details.pif > details.pif > document_9446.pif > application.pif > wicked_scr.scr > movie0045.pif > > NOTE: The worm deactivates on September 10, 2003. The last day on which > the worm will spread is September 9, 2003. > > Also Known As: Sobig.F [F-Secure], W32/Sobig.f@MM [McAfee], WORM > SOBIG.F [Trend] > > Type: Worm > Infection Length: about 72,000 bytes > > > > Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, > Windows NT, Windows XP > Systems Not Affected: Linux, Macintosh, OS/2, UNIX, Windows 3.x > > > > > > > Beta Virus Definitions > August 18, 2003 > > > Virus Definitions (Intelligent Updater) * > August 19, 2003 > > > Virus Definitions (LiveUpdate™) ** > August 19, 2003 > > > * > Intelligent Updater definitions are released daily, but require manual > download and installation. Click here to download manually. > > ** > LiveUpdate virus definitions are usually released every Wednesday. > Click here for instructions on using LiveUpdate. > > > > > > > > Wild: > > Number of infections: 0 - 49 > Number of sites: 3 - 9 > Geographical distribution: Low > Threat containment: Easy > Removal: Easy > Threat Metrics > > > Wild: > Medium > Damage: > Low > Distribution: > Medium > > > > > > When W32.Sobig.F@mm is executed, it performs the following actions: > > > Copies itself as %Windir%\winppr32.exe. > > NOTE: %Windir% is a variable. The worm locates the Windows installation > folder (by default, this is C:\Windows or C:\Winnt) and copies itself to > that location. > > > Creates the file, %Windir%\winsst32.dat. > > > Adds the value: > > "TrayX"="%Windir%\winppr32.exe /sinc" > > to the registry key: > > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run > > so the worm runs when you start Windows. > > Attempts to copy itself to any network shares it has write access to. > The worm will utilize standard Windows API's to do this. > > Sobig.F can download arbitrary files to an infected computer and execute > them. The author of the worm has used this functionality to steal > confidential system information and to set up spam relay servers on > infected computers. > > This functionality may also be used as a worm self-update feature. Under > the correct conditions, Sobig.F attempts to contact one of the list of > master servers, which the author of the worm controls. Then, the worm > retrieves a URL that it uses to determine where to get the Trojan file, > downloads the Trojan file to the local computer, and then executes it. > > In Sobig.F, the conditions for this download attempt are: > According to UTC time, the day of the week must be Monday or Friday. > According to UTC time, the time of day must be between 7:00 P.M. and > 11:59:59 P.M. > > Sobig.F obtains the UTC time through the NTP protocol, by contacting one > of several possible servers on port 123/udp (the NTP port). > > The worm starts the download attempt by sending a probe to port 8998/udp > of the master server. Then, the server replies with a URL, where the > worm can download the file to execute. > > Sobig.F also opens the following ports: > 995/udp > 996/udp > 997/udp > 998/udp > 999/udp > > and it listens for any incoming UDP datagrams on these ports. Incoming > datagrams are parsed, and upon receiving a datagram with the proper > signature, the master server list of the worm may be updated. > > Network administrators should do the following: > Block inbound traffic on ports 99x/udp. > Block outbound traffic on port 8998/udp. > Monitor NTP requests (port 123/udp), as these could be coming from > infected computers. (The frequency of such checks for an infected > computer should be once per hour.) > > > > > > > Symantec Security Response encourages all users and administrators to > adhere to the following basic security "best practices": > > Turn off and remove unneeded services. By default, many operating > systems install auxiliary services that are not critical, such as an FTP > server, telnet, and a Web server. These services are avenues of attack. > If they are removed, blended threats have less avenues of attack and you > have fewer services to maintain through patch updates. > If a blended threat exploits one or more network services, disable, or > block access to, those services until a patch is applied. > Always keep your patch levels up-to-date, especially on computers that > host public services and are accessible through the firewall, such as > HTTP, FTP, mail, and DNS services. > Enforce a password policy. Complex passwords make it difficult to crack > password files on compromised computers. This helps to prevent or limit > damage when a computer is compromised. > Configure your email server to block or remove email that contains file > attachments that are commonly used to spread viruses, such as .vbs, > .bat, .exe, .pif and .scr files. > Isolate infected computers quickly to prevent further compromising your > organization. Perform a forensic analysis and restore the computers > using trusted media. > Train employees not to open attachments unless they are expecting them. > Also, do not execute software that is downloaded from the Internet > unless it has been scanned for viruses. Simply visiting a compromised > Web site can cause infection if certain browser vulnerabilities are not > patched. > > > The following instructions pertain to all current and recent Symantec > antivirus products, including the Symantec AntiVirus and Norton > AntiVirus product lines. > > NOTE: If you are on a network or have a full-time connection to the > Internet, disconnect the computer from the network and the Internet. > Remove this threat from all the computers on the network before > reconnecting to it. Disable or password-protect file sharing before > reconnecting the computers to the network or to the Internet. > > For instructions on how to do this, see your Windows documentation, or > the document, "How to configure shared Windows folders for maximum > network protection." > > IMPORTANT: Do not skip this step. Disconnect from the network before > attempting to remove this worm. > > > Disable System Restore (Windows Me/XP). > Update the virus definitions. > Do one of the following: > Windows 95/98/Me: Restart the computer in Safe mode. > Windows NT/2000/XP: End the Trojan process. > Run a full system scan and delete all the files detected as > W32.Sobig.F@mm. > Delete the values that were added to the registry. > > For specific details on each of these steps, read the following > instructions. > > 1. Disabling System Restore (Windows Me/XP) > If you are running Windows Me or Windows XP, we recommend that you > temporarily turn off System Restore. Windows Me/XP uses this feature, > which is enabled by default, to restore the files on your computer in > case they become damaged. If a virus, worm, or Trojan infects a > computer, System Restore may back up the virus, worm, or Trojan on the > computer. > > Windows prevents outside programs, including antivirus programs, from > modifying System Restore. Therefore, antivirus programs or tools cannot > remove threats in the System Restore folder. As a result, System Restore > has the potential of restoring an infected file on your computer, even > after you have cleaned the infected files from all the other locations. > > Also, a virus scan may detect a threat in the System Restore folder even > though you have removed the threat. > > For instructions on how to turn off System Restore, read your Windows > documentation, or one of the following articles: > "How to disable or enable Windows Me System Restore" > "How to turn off or turn on Windows XP System Restore" > > 2. Updating the virus definitions > Symantec Security Response fully tests all the virus definitions for > quality assurance before they are posted to our servers. There are two > ways to obtain the most recent virus definitions: > Running LiveUpdate, which is the easiest way to obtain virus > definitions: These virus definitions are posted to the LiveUpdate > servers once each week (usually on Wednesdays), unless there is a major > virus outbreak. To determine whether definitions for this threat are > available by LiveUpdate, refer to the Virus Definitions (LiveUpdate). > Downloading the definitions using the Intelligent Updater: The > Intelligent Updater virus definitions are posted on U.S. business days > (Monday through Friday). You should download the definitions from the > Symantec Security Response Web site and manually install them. To > determine whether definitions for this threat are available by the > Intelligent Updater, refer to the Virus Definitions (Intelligent > Updater). > > The Intelligent Updater virus definitions are available: Read "How to > update virus definition files using the Intelligent Updater" for > detailed instructions. > > 3. Restarting the computer in Safe mode or ending the Trojan process > Windows 95/98/Me > Restart the computer in Safe mode. All the Windows 32-bit operating > systems, except for Windows NT, can be restarted in Safe mode. For > instructions, read the document, "How to start the computer in Safe > Mode." > > Windows NT/2000/XP > To end the Trojan process: > Press Ctrl+Alt+Delete once. > Click Task Manager. > Click the Processes tab. > Double-click the Image Name column header to alphabetically sort the > processes. > Scroll through the list and look for Winppr32.exe. > If you find the file, click it, and then click End Process. > Exit the Task Manager. > > 4. Scanning for and deleting the infected files > Start your Symantec antivirus program and make sure that it is > configured to scan all the files. > For Norton AntiVirus consumer products: Read the document, "How to > configure Norton AntiVirus to scan all files." > For Symantec AntiVirus Enterprise products: Read the document, "How to > verify that a Symantec Corporate antivirus product is set to scan all > files." Run a full system scan. > If any files are detected as infected with W32.Sobig.F@mm, click Delete. > > > 5. Deleting the values from the registry > > CAUTION: Symantec strongly recommends that you back up the registry > before making any changes to it. Incorrect changes to the registry can > result in permanent data loss or corrupted files. Modify the specified > keys only. Read the document, "How to make a backup of the Windows > registry," for instructions. > > Click Start, and then click Run. (The Run dialog box appears.) > Type regedit > > Then click OK. (The Registry Editor opens.) > > > Navigate to the key: > > HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run > > > In the right pane, delete the value: > > "TrayX"="%Windir%\winppr32.exe /sinc" > > > Exit the Registry Editor. > > > > > > Write-up by: Benjamin Nahorney and Atli Gudmundsson > > > ********************END DOCUMENT******************************** > > Jim Wood > jwood@private > MW Technology Group Inc > DBA: Zebra Computer Repair & Networking > 360-736-7000 > > > > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.509 / Virus Database: 306 - Release Date: 8/12/2003 > > Jim Wood > jwood@private > MW Technology Group Inc > DBA: Zebra Computer Repair & Networking > 360-736-7000 > > > > --- > Outgoing mail is certified Virus Free. > Checked by AVG anti-virus system (http://www.grisoft.com). > Version: 6.0.509 / Virus Database: 306 - Release Date: 8/12/2003 > > >
This archive was generated by hypermail 2b30 : Tue Aug 19 2003 - 19:38:08 PDT