Tech Support banner

Status
Not open for further replies.
1 - 5 of 5 Posts

·
Premium Member
Joined
·
1,611 Posts
Discussion Starter #1
This is for a new variant of W32/Sobig. In common with previous variants, the worm is written in MSVC, and bears the following characteristics:
· propagates via email, constructing outgoing messages with its own SMTP engine
· propagates over network shares (not confirmed in testing yet)
Subject:
· Re: Thank you!
· Re: Details
· Re: Re: My details
· Re: Approved
· Re: Your application
· Re: Wicked screensaver
· Re: That movie
Attachment:
· your_document.pif
· document_all.pif
· thank_you.pif
· your_details.pif
· details.pif
· document_9446.pif
· application.pif
· wicked_scr.scr
· movie0045.pif



Body:
· See the attached file for details
· Please see the attached file for details

The "From:" address may be spoofed with an address extracted from the victim machine. Therefore the perceived sender is most likely not a pointer to the infected user.
 

·
Citizen of the world
Joined
·
51,041 Posts
Interesting, I got a bunch of these today, someone found me. :D I started in thinking that it was someone targeting me, but after looking at them closely, I realized what it was. The interesting thing is the payload is different on some of them.
:confused:
 

·
Registered
Joined
·
22 Posts
sobig virus

i work in a small office, and we are getting a whole bunch of emails in our aol account from mailer daemons saying that the email we sent with "wicked screensaver" and "That movie" in the subject have the sobig virus in it. i ran the virus scan and it didn't come up with anything. is there something we need to do??
 

·
Premium Member
Joined
·
1,611 Posts
Discussion Starter #4
coburnjm, hello...
unfortunately, this is a side effect of the virus. One of the actions of the virus is to spoof the senders email address to hide the original one. Its similar to you sending a gag letter to someone with your neighbors mailing address on it. That someone would then reply to your neighbor complaining about a gag letter that he sent. In reality, letter was sent by you, not your neighbor. You most likely do not have the virus, but keep an eye on your firewall / AV logs for unusuall activity. Most emails that come from mailer daemons are automated. If you notice an email from a security admin, I would send a courtesy email explaining that you are aware of the problem and are coping with the issue as well...


The "From:" address may be spoofed with an address extracted from the victim machine. Therefore the perceived sender is most likely not a pointer to the infected user.
Feel free to ask if you have any more questions !!! :D
 
1 - 5 of 5 Posts
Status
Not open for further replies.
Top