More Sobig.F

[InfoSec News <isn () c4i org>]

Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rslade () sprint ca>

Sobig load is increasing: over the past 15 hours I've received 52 copies in my 
inbox, up from yesterday's 47 in 20 hours (and, as previously noted, well 
exceeding the previous record for Klez at its height).  (On the slightly bright side, 
spammers seem to have been affected: other spam seems slightly down today  :-)

As noted, Sobig uses its own SMTP engine, and spoofs both the From and Return-
Path headers on a random basis, so that is no indication.  Most subject lines I have 
received have been:
Your details
Re: Re: My details
Thank you!
Re: Thank you!
Re: That movie
Re: Your application
Re: Approved
Re: Wicked screensaver

Others may be found in the lists and detailed descriptions at the URLs below.

However, the message body is always "Please see the attached file for details." so 
that is a reliable indicator.  In addition, I've had a look at more headers, and the 
following two seem to appear in every copy I've received:

X-MailScanner: Found to be clean

X-Mailer: Microsoft Outlook Express 6.00.2600.0000

Once again, *PLEASE* spread the word: DO NOT OPEN ATTACHMENTS.  If 
in doubt, don't.  Sobig uses no special technology beyond this rather simplistic 
social engineering.  (Can anyone tell me: is there any content scanner lazy enough 
to be bypassed by the X-MailScanner header?)

http://www.sophos.com/virusinfo/analyses/w32sobigf.html
http://www.f-secure.com/v-descs/sobig_f.shtml

======================  (quote inserted randomly by Pegasus Mailer)
rslade () vcn bc ca      slade () victoria tc ca      rslade () sun soci niu edu
If you like laws and sausage, you should never watch either being
made.                                            - Otto von Bismarck
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.