Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[rocketsauce]

Well, tonight I started getting a ton of emails that have the sobig.f virus attached.

It seems that possibly the email addresses of Interact users are being spoofed by the virus, as several of the emails I've received appear to be from people who are regular posters here.

Has anyone else been getting virus emails that appear to be from names you recognize from this forum?

Just coincidentally, today I decided to see what sort of offer Symantec had available to upgrade my Norton AV 2000 to Norton AV 2003. And coincidentally, they were offering a mail-in rebate in addition to the lower upgrade price, so I got the upgrade for only $9.95.

I've run several scans on my system as well as downloaded and run the sobig.f removal tool from the Symantec website just to be sure that my machine wasn't infected...and as far as I can tell, it wasn't.

Rob

[Marko]

I got hammered with those too. Mine were all from spoofed AOL addresses so no way of telling where they came from. I'm peretty sure they didn't come from interact or anyone else from here as they made their way to my "very private" mail address. I've been wracking the old grey matter wondering who it could be, and sending out investigative e-mails to likely suspects, but nothing as yet.

Now, come to mention it, there is one poster here who does have that address. I shall send a PM for some confirmation

No infection this end either. Like, I'm really gonna double click on a "wicked screensaver" file sent to me from some unknown dude via AOL with the message "see attached file"  

[LisaRCT]

I've been wracking the old grey matter wondering who it could be, and sending out investigative e-mails to likely suspects, but nothing as yet.

It may not be a good idea to send out 'investigative emails' as this only compounds the problem by further clogging up the net traffic.
Actually it has been said that part of the plan was for this virus/worm not only to send erroneous emails, but to also initiate a response from anti-virus and other software to further clog up the internet's arteries.
You may be unwittingly contributing to the problem by doing so on any large scale.

[John Gateley]

It may not be a good idea to send out 'investigative emails' as this only compounds the problem by further clogging up the net traffic.

Single messages won't make it worse. It's automated replies or multiple destinations that cause a lot of traffic.

The virus scans all the files on your hard drive looking for e-mail addresses (check one of the virus sites for details), including html files, so if someone made a copy of interact pages and then was infected, then that could be where you are getting those from.

j

[fex]

... including html files, so if someone made a copy of interact pages and then was infected, then that could be where you are getting those from.

j

Don't forget the "temp"-folder, where a site is temporaly stored every time you browse it....

[rocketsauce]

Wow, this is really about the first time that I've ever been affected by an email virus. I've been online for about 8 years, and it's only been in the last couple of months that I've ever had a problem. Since around 10pm last night I've received about 100 emails with sobig.f attached.

The main reason I originally posted was that the account that is receiving all the emails is the one that I used to register here and because several of the emails had senders addresses that appear to correspond to people who post on this forum. So, hopefully everyone is busy updating their virus software and running scans on their systems.

Rob

[zevele10]

I got few hundreds Emails in 12 hours.
The first time it happens to me as well.

All adress are very strange ones , wierd. As far as i can see none of them from people here.

Beside this ,many users here do not have they posting name in they Email adress.

Link to a free and friendly free online scan AND removal:

http://uk.trendmicro-europe.com/enterprise/products/housecall_pre.php

[rocketsauce]

As far as i can see none of them from people here.

I have several. In fact, I've got some that have senders email addresses that match the names of two people who've posted in this thread.

Rob

[zevele10]

Did you get one -or many- from me?
zevele1-=098@yahoo.fr [less the -=098]

[Marko]

I have several. In fact, I've got some that have senders email addresses that match the names of two people who've posted in this thread.

Rob

Rob, you can't have any faith in the from fields, they're spoofed....
read on.....
lifted from f-secure (who also have a link to a removal tool )

Mail spreading

The worm usually arrives in e-mails with the following characteristics:

From:


The 'From:' field is filled with an address found from the infected system.
If no address is found, it will use "admin@internet.com"

To:


The 'To:' field is filled with an address found from the infected system.

Subject, any from the list:


Re: Thank you!
Thank you!
Your details
Re: Details
Re: Re: My details
Re: Approved
Re: Your application
Re: Wicked screensaver
Re: That movie

Body, it chooses one from the two following lines:


See the attached file for details
Please see the attached file for details.


Attachment names can be any from:


your_document.pif
document_all.pif
thank_you.pif
your_details.pif
details.pif
document_9446.pif
application.pif
wicked_scr.scr
movie0045.pif

Sometimes the attachment is missing.

Also, the mail header always contains this string: "X-MailScanner: Found to be clean". Do note that there's an anti-virus product which inserts this header to emails. Disinfection Tool

-marko.

[rocketsauce]

Posted by: zevele       Posted on: Today at 1:19pm

Did you get one -or many- from me?  
zevele1-=098@yahoo.fr [less the -=098]

Yes...I know it wasn't from you, but it did contain that address.

Rob, you can't have any faith in the from fields, they're spoofed...

I know they're spoofed. I was just saying that I've received some emails that happen to have senders addresses that correspond to the screen names of some of the people that post here. Also, out of the 5 email accounts that I use, the only one receiving the emails is also the one that I used to register here. I'm not pointing my finger at anyone, but only that it seems that some computer, somewhere, that has a list of the email addresses that people used to register on this forum was/still is infected and was/still is sending out messages with the virus attached.

Rob

[John Gateley]

Hi Rob,

All that is needed for someone on an infected computer to read interact, and visit this thread. The html is saved in their tmp directory (thanks Fex) and includes e-mail address if you make them public (like you do). Then you start getting e-mails.

It is not all e-mail addresses, only those that come from a visited page where the address is public.

j

[Marko]

I'd say "still is" infected, as I got another shedload tonight

There's been no response so far from the only poster here who has "my very private address" (that may not be so private any more).

Our pooled info certainly does seem to suggest that someone close to interact could well be infected doesn't it.
Ach well, fttb, mailwasher's taking care of things for me
-marko.

[Marko]

I have not received any sobig-f mail at the mail address publicly advertised in my profile at interact.

[rocketsauce]

I'd say "still is" infected, as I got another shedload tonight

Yeah. Today, I've been receiving between 20 - 30 an hour.

Rob

[zevele10]

Out of 8 Email adress , i got the virus only at one adress.

The adress on interact , but it is   the adress i use the most and that i have on other forums.. so cannot make any link with this place

I NEVER got spam at this address ,as i say NEVER.
But this sobig ,i got it non stop since this morning , allmost one per minute.....
Look that my 25 MB email limit would be over during the night.....

[John Gateley]

Our pooled info certainly does seem to suggest that someone close to interact could well be infected doesn't it.

There's a good chance of it, but remember that "close to interact" could be someone who is just a lurker.

j

[Yaobing]

I received a few mails from some email servers saying that email I sent to certain addressees contain the virus. But I can not find any of the receipient addresses on my computer, certainly not in my address book.

So probably my email address was spoofed. It however makes me uneasy thinking there is a possibility that my computer is infected. Coincidentally, this evening my fax program's data base corrupted, losing most my received and sent faxes.

I ran PC-cillin, and it did not find anything. But I wonder whether PC-cillin is still working in full potential because my license expired, and I keep clicking "Upgrade Later" every day. It still downloads updates almost daily, and the program runs.

[JimH]

I believe that the sobig.f worm used the addresses it could find for both to and from.  We got the same complaints about messages that I'm sure we didn't send.

[Pink Waters]

the most virus that buged me enough those last days the wormblast worm.,,,

it do close a service in winxp called remote procedure call service... and you know any service when close for unknown reason .. winxp is cool pops up a window with about 30 seconds to save your work and it automatically shutdown windows...

i didnt know that it was a virus because the antivirus did not recognize it..

so i made the service when is closed do not make windows take any action...so do not close windows...

after that i noticed that the clipbord and drag and drop is not working too

untill i found the 2 file fix stuff...

[zevele10]

Yaobing

See my link to PC Cillin free online check.
Unlike many free online check ,it will remove the virus if found.

[rocketsauce]

You can also download free scan/removal tools for specific viruses from:

http://securityresponse.symantec.com/avcenter/tools.list.html

(Well, I've finally received over 200 emails with the virus attached. I wonder how long this is going to go on? I read on Google News that this version of sobig isn't set to expire until Sept. 10).

Rob

[Marko]

Well, I got a reply (thanks), and it's not him

Wonder who it is, and will they 'fess up when they finally twig, lol.

Thankfully, the thing is just a minor irritant, and the mails are easily dealt with server-side.

That w32.blaster worm kept me very busy last week fielding calls from confused friends. It's fast too. I installed a new HDD for a friend and clean installed XP onto it. W32.blaster struck less than 5 minutes after getting the internet connection active!! It was gone in even less time

[zevele10]

look like things calm down.

Still some emails ,but much less than yesterday

[LisaRCT]

I did my updates and ran Norton AntiVirus, made sure my Windows Updates were current, clamped down on my firewall program security and even visited Symmantec's site and ran their 'FixSbigF' patch (which said I was clean) and purged my temp files.
Today I ran that 'HouseCall' that Zevelle posted a link to and it said it found the sobig virus. (Odd thing is although it auto-fx'ed it too quickly for me to get a good look, I am pretty sure it said it found 'Sobig G' virus . . . I could be mistaken, but.)

Since I didn't open any emails with attachments, and all my email gets scanned, I find it hard to believe.
Could that mean that rather than being infected, I just had an unopened email which contained it . . . perhaps even in my Recycle Bin?

  :-/     ?   :-/  

[Yaobing]

Yaobing

See my link to PC Cillin free online check.
Unlike many free online check ,it will remove the virus if found.

I did it. It's good to know my system is clean.

[rocketsauce]

Could that mean that rather than being infected, I just had an unopened email which contained it . . . perhaps even in my Recycle Bin?

When Norton scans for infected email attachments, doesn't it remove and quarantine the attachment? Maybe what Housecall found was all of the removed attachment files that are in the Norton quarantine folder. I now have about 250 of those in mine.

But, I know how you're feeling. I've done several virus scans as well as download the free tool and I'm still not 100% confident that my system is bug-free. Not only is this virus good at clogging up your inbox, it also seems to be good at spreading a lot of Fear, Uncertainty and Doubt.

Rob

[LisaRCT]

Hi Yaobing!
I had visited Symmantec, ran their check/fix which said I was clean.  I'd hope to think I was mistaken about having had the virus as NortonAV has never failed me (before?). And that was even with doing a pretty fair amount of file downloading as well as peer-to-peer where there were many viruses and Norton nabbed them, it seemed like before the file completed download (still a *.dat file).
I don't like feeling vulnerable.   ?


Ahhh, Rob . . .  thanks, just saw your post.  
Just looked further into things here and Norton had a bacup file apprently for the quarentined folder . . . you were right there it lurked    
Emptied that out too . . .
The good news is I think I can feel more secure knowing Norton had caught & quarentined it apparently before it could actually have infected me. Unless one snuck through   ?

LOL, no, I am not gonna get all paranoid over it . . . unless the folks here on Interact decide it is my fault and wanna have a lynching  

[zevele10]

I think that we can calm down now.

ANY anti-virus system had the time to update.
So ,Norton ,Symentec,PC Cillin ,AVG , no matter the one you run ,if they tell you you are clean ,you can trust  them..

On the sideline ,i like to confort myself from time to time by running the PC Cilling online check.

Now ,if there is still people opening Email Attachement as they open they mail box ,there is no raison for this kind of virus not to flourish...................

I got a lot of mails telling me that i sent Email with viruse . Means that my adress was toke somewhere by one having the virus on his machine.
Can be here ,or another place or one of my adress book.

Less mail now. Anyway Yahoo put around 98% of them in the bulk folder , not bad.

[John Gateley]

One way to help feel secure that you are not infected. On your firewall filter all outgoing connections to port 25 (SMTP) except for your outgoing mail server. Then check your logs to see if any packets are filtered.

This has the added benefit if you get infected in the future, it prevents your machine from being used to spread the infection.

It has no drawbacks (except the small amount of time for configuration).

j

[KingSparta]

I have had no problems

but MC9 keeps playing

Charted At 30 In 1979

Listening to: 'Do You Love What You Feel' from 'The Very Best Of' by 'Rufus Featuring Chaka Khan' on Media Center 9.1

I think it maybe a Virus, but NAV tells me it's ok

[zevele10]

Not sure if links to this virus-saga ,but:

Non-stop, ntoskrnl.exe wants to connect to the internet.

Is this normal? I do not remember having it before

My machine is clean according to few anti-virus programs

[KingSparta]

it seems my ISP is checking for Viruses, a message i got the other day from 2 spamers who seem to not be getting with the program attempted to spam me with the W32.Sobig.F@mm virus.

ALERT!!!
This e-mail in its original form contained one or more attached files that were infected with a virus or worm, or contained another type of security threat.

The following attachments were infected and have been repaired:
No attachments are in this category.

The following attachments were deleted due to an inability to clean them:
1. your_details.pif: W32.Sobig.F@mm

The Following attachments were not delivered due to inbound mail policy violations:
No attachments are in this category.


Road Runner does not contact the sender of the infected attachment(s) in the event that they were not actually sent from the indicated party.

Please contact the sender directly to alert them of their issue with infected files if you wish to do so.

For more information on Road Runner's virus filtering initiative, visit our Help & Member Services pages at http://help.rr.com, or the virus filtering information page directly at http://help.rr.com/faqs/e_mgsp.html.

------------ Original message text follows ------------


Please see the attached file for details.

[rocketsauce]

Ughhhh...

I can't believe this is still going on.

Last week, over about a 3 day period, I received about 500 emails. Then, over the weekend and part of Monday, I didn't receive even a single one. Then, starting late Monday, they started coming in again and now at an even faster rate than before. Over the last couple of hours, about 100. Apparently my ISP isn't doing anything to block them. I guess I'm gonna have to call them tomorrow and see what's up. I'm gonna be really annoyed if I have to delete this one email address.  

Rob

Listening to: 'Rock And Roll Wh0re (with Jack Black)' from 'Fake Songs' by 'Liam Lynch' on Media Center 9.0

[zevele10]

Exatly the same here.
From 7 morning to 11 evening ...164 mails.....

[rocketsauce]

Well, since the time of my last post, I've received about 400 more.

I finally called tech support at my ISP today and their suggested solution was to delete the affected email account.   They said there is nothing they can do about it, but I can't believe that they can't somehow scan for the virus on their servers and automatically delete the messages and attachments.

Rob

[JimH]

My ISP added something called Postini a few months ago.  It made a big difference.  I'm not getting many virus e-mails now.