Tech Support Forum banner
Cancel

FYI W32/[email protected], Medium Risk

Jump to Latest Follow
Status
Not open for further replies.
1 - 5 of 5 Posts
merlin

· Premium Member
Joined
·
1,615 Posts
Discussion Starter · #1 ·
This is for a new variant of W32/Sobig. In common with previous variants, the worm is written in MSVC, and bears the following characteristics:
· propagates via email, constructing outgoing messages with its own SMTP engine
· propagates over network shares (not confirmed in testing yet)
Subject:
· Re: Thank you!
· Re: Details
· Re: Re: My details
· Re: Approved
· Re: Your application
· Re: Wicked screensaver
· Re: That movie
Attachment:
· your_document.pif
· document_all.pif
· thank_you.pif
· your_details.pif
· details.pif
· document_9446.pif
· application.pif
· wicked_scr.scr
· movie0045.pif



Body:
· See the attached file for details
· Please see the attached file for details

The "From:" address may be spoofed with an address extracted from the victim machine. Therefore the perceived sender is most likely not a pointer to the infected user.
 
johnwill

· Global Moderator
Electronic Design
Joined
·
52,687 Posts
#2 ·
Interesting, I got a bunch of these today, someone found me. :D I started in thinking that it was someone targeting me, but after looking at them closely, I realized what it was. The interesting thing is the payload is different on some of them.
:confused:
 
C

· Registered
Joined
·
22 Posts
#3 ·
sobig virus

i work in a small office, and we are getting a whole bunch of emails in our aol account from mailer daemons saying that the email we sent with "wicked screensaver" and "That movie" in the subject have the sobig virus in it. i ran the virus scan and it didn't come up with anything. is there something we need to do??
 
merlin

· Premium Member
Joined
·
1,615 Posts
Discussion Starter · #4 ·
coburnjm, hello...
unfortunately, this is a side effect of the virus. One of the actions of the virus is to spoof the senders email address to hide the original one. Its similar to you sending a gag letter to someone with your neighbors mailing address on it. That someone would then reply to your neighbor complaining about a gag letter that he sent. In reality, letter was sent by you, not your neighbor. You most likely do not have the virus, but keep an eye on your firewall / AV logs for unusuall activity. Most emails that come from mailer daemons are automated. If you notice an email from a security admin, I would send a courtesy email explaining that you are aware of the problem and are coping with the issue as well...


The "From:" address may be spoofed with an address extracted from the victim machine. Therefore the perceived sender is most likely not a pointer to the infected user.
Click to expand...
Feel free to ask if you have any more questions !!! :D
 
1 - 5 of 5 Posts
Status
Not open for further replies.
About this Discussion
4 Replies
4 Participants
Last post:
gotissues68
Tech Support Forum
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Windows XP Support Windows 7 , Windows Vista Support Motherboards, Bios|UEFI & CPU Networking Support Laptop Support
Top