RE: Annoying virus being mailed to me

["Ronald C. Williams" <ron () workshare com>]

I was getting them also, so I just stopped them on our mail server.  I just
started blocking anything from @boss.com

I don't get them anymore.

good luck.

Ron

-----Original Message-----
From: Don Voss [mailto:voss () albany edu]
Sent: Friday, February 07, 2003 12:14 PM
To: Chris Carter; security-basics () securityfocus com
Subject: Re: Annoying virus being mailed to me


On 7 Feb 2003 at 10:54, Chris Carter wrote:

> Hi guys, For the last two months or so I have been receiving emails
> with the I-Worm/Sobig virus attached about twice a day. My anti-virus
> sw protects me well so I am not infected in any way (nor has anybody
> else here). Initially, I used to ignore the messages and delete them;
> after a couple of weeks I decided to trace the source IP from the mail
> header and send complaint messages to the corresponding ISP. But the
> Bast**d keeps finding other IP's to mail me from. Messages come from
> big () boss com. Is anyone else being targeted? Is this a common
> occurrence? Am I the only one? 

Chris,

Are you joking ?

Well maybe not .. so here is the scoop. This is just another mass-mailer 
virus/worm event. The reason the ip address changes is that other users 
are being infected .. then transmitting.  Another factor is that [ as 
mentioned below],  it will mail it self to all email addresses found in 
various document formats found on the infected machine.

So .. I get these .. we all probably got/get a few a day/week. Depends 
how long you have had your email address and what kind of organization 
you work for + your circle of contacts. Add it all up .. it is a numbers 
game.

So .. here at the university .. I've had this address and others for 16+ 
years ..  multiple variants are still aliased to the current. I am in 
various documents across multiple departments, on campus web pages, in 
university charts, university staff address books, on and on.

These people take work home ...so a data file / address book with my 
email address may be there .. their children use the units .. they go to 
school and use a lab ..

I post in listserv groups for years .. people have mail archives / 
address books / htmlized versions of listserv material on their pcs .. 
now we are across national borders .. 

So who is sending me stuff from big () boss com .. who knows .. and who 
cares .. as long as its not from a unit I currently am responsible for .. 
right ?

I just delete and move on .. I personally would not spend a minute 
looking for virus generated email or commercial spam email ..  I just 
filter and delete. It's a shame yes .. but not worth any effort to chase 
down at this time. Maybe when we have better laws regarding it .. and 
fines .. !! .. it would be worth keeping track of.

regards,

/don


Details stolen from symantec www site.
[start insert]
As of January 13, 2003, due to an increase in submissions, Symantec 
Security Response has upgraded this threat to a Category 3 from a 
Category 2. 

The W32.Sobig.A@mm worm sends itself to all the addresses it finds in the 
.txt, .eml, .html, .htm, .dbx, and .wab files. The email message has the 
following characteristics:
From: big () boss com
Subject: The subject will be one of these:

Re: Movies
Re: Sample
Re: Document
Re: Here is that sample

Attachment: The attachment will be one of these:
Movie_0074.mpeg.pif
Document003.pif
Untitled1.pif
Sample.pif

Before W32.Sobig.A@mm sends the messages, it sends a message to an 
address at pagers.icq.com. 

The worm also attempts to copy itself to the following folders on all the 
open network shares:
\Windows\All Users\Start Menu\Programs\StartUp
Documents and Settings\All Users\Start Menu\Programs\Startup

Note: Symantec Security Response has received reports of W32.Sobig.A@mm 
downloading and installing the Backdoor Trojan, Backdoor.Lala.


Also Known As: W32/Sobig [McAfee], WORM_SOBIG.A [Trend], W32/Sobig-A 
[Sophos] 
Type: Worm 
Infection Length: 65,536 bytes 
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000, 
Windows XP, Windows Me 
Systems Not Affected: Macintosh, OS/2, UNIX, Linux 

The above text stolen from :
http://www.symantec.com/avcenter/venc/data/w32.sobig.a () mm html

[end insert]

>


_____________________________________________
Don Voss                                      voss () albany edu
Sr. Programmer Analyst
Geography & Planning Department
The University at Albany, SUNY
Albany, NY, 12222-0100

"No matter how cynical you get, it is impossible to keep up."
- Lilly Tomlin