Full Disclosure mailing list archives

RE: Sobig has a surprise...

From: "Jerry Heidtke" <jheidtke () fmlh edu>
Date: Sat, 23 Aug 2003 18:53:13 -0500


I've been unable to find, anywhere, the list of servers that Sobig.e tries to contact. I did find one reference that 
stated Sobig.e had a list of 22 servers that it tried to contact, not five.

I was able to confirm from several AV sites that while Sobig.e stopped trying to spread several weeks ago, the update 
feature is still active and launches itself every Monday and Friday. If you, or anyone, can confirm that this is the 
list from Sobig.e, (even by saying something like "Yes, I saw this traffic to these addresses in our firewall logs, 
checked the system, and it was infected with Sobig.e"), we can all rest a little easier, and I apologize for raising 
any unnecessary concern.

I didn't pay any attention to Sobig.e when it came out (not my area of responsibility), and wasn't aware that it had 
the same update capabilities of Sobig.f. I guess I assumed from all the uproar in the press and various lists about 
Sobig.f that this was some new nastiness only recently discovered. Was this all just more self-serving fear-mongering 
by the AV companies? Did I fall for it? yewww

I have to go wash my hands now...

Jerry

-----Original Message-----
From: Peter Ferrie [mailto:pferrie () symantec com]
Sent: Saturday, August 23, 2003 3:58 PM
To: full-disclosure () lists netsys com
Subject: RE: [Full-disclosure] Sobig has a surprise...

Ron was asking if anyone had more details about the OTHER addresses
that Sobig tried to contact:

67.164.250.26/8998
129.244.36.194/8998
67.73.60.121/8998
218.146.139.246/8998
66.169.84.77/8998

Other people have seen the same thing. The exact circumstances are
still unknown (at least to me).


This is the IP list for Sobig.E.

8^) p.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Confidentiality Notice: This e-mail message, including any attachments,
is for the sole use of the intended recipient(s) and may contain
confidential and privileged information.  Any unauthorized review, use,
disclosure or distribution is prohibited.  If you are not the intended
recipient, please contact the sender by reply e-mail and destroy all
copies of the original message.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

RE: Sobig has a surprise..., (continued)
- RE: Sobig has a surprise... Compton, Rich (Aug 22)
- RE: Sobig has a surprise... Andre Ludwig (Aug 22)
- RE: Sobig has a surprise... Jerry Heidtke (Aug 22)
- RE: Sobig has a surprise... Andrews Carl 448 (Aug 22)
- RE: Sobig has a surprise... Jerry Heidtke (Aug 22)
- RE: Sobig has a surprise... David Vincent (Aug 22)
- RE: Sobig has a surprise... Jerry Heidtke (Aug 23)
  - RE: Sobig has a surprise... Paul Schmehl (Aug 23)
- RE: Sobig has a surprise... Peter Ferrie (Aug 23)
- Re: Sobig has a surprise... Joe Stewart (Aug 23)
- RE: Sobig has a surprise... Jerry Heidtke (Aug 23)