Tech Support Forum banner
Status
Not open for further replies.
1 - 2 of 2 Posts

·
Premium Member
Joined
·
1,611 Posts
Discussion Starter · #1 ·
This is for a new variant of W32/Sobig. In common with previous variants, the worm is written in MSVC, and bears the following characteristics:
· propagates via email, constructing outgoing messages with its own SMTP engine
· propagates over network shares (not confirmed in testing yet)
Subject:
· Re: Thank you!
· Re: Details
· Re: Re: My details
· Re: Approved
· Re: Your application
· Re: Wicked screensaver
· Re: That movie
Attachment:
· your_document.pif
· document_all.pif
· thank_you.pif
· your_details.pif
· details.pif
· document_9446.pif
· application.pif
· wicked_scr.scr
· movie0045.pif



Body:
· See the attached file for details
· Please see the attached file for details

The "From:" address may be spoofed with an address extracted from the victim machine. Therefore the perceived sender is most likely not a pointer to the infected user.
 

·
Premium Member
Joined
·
1,611 Posts
Discussion Starter · #4 ·
coburnjm, hello...
unfortunately, this is a side effect of the virus. One of the actions of the virus is to spoof the senders email address to hide the original one. Its similar to you sending a gag letter to someone with your neighbors mailing address on it. That someone would then reply to your neighbor complaining about a gag letter that he sent. In reality, letter was sent by you, not your neighbor. You most likely do not have the virus, but keep an eye on your firewall / AV logs for unusuall activity. Most emails that come from mailer daemons are automated. If you notice an email from a security admin, I would send a courtesy email explaining that you are aware of the problem and are coping with the issue as well...


The "From:" address may be spoofed with an address extracted from the victim machine. Therefore the perceived sender is most likely not a pointer to the infected user.
Feel free to ask if you have any more questions !!! :D
 
1 - 2 of 2 Posts
Status
Not open for further replies.
Top