Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Sobig.E warning

From: InfoSec News <isn () c4i org>
Date: Fri, 27 Jun 2003 01:37:31 -0500 (CDT)
Forwarded from: "Rob, grandpa of Ryan, Trevor, Devon & Hannah" <rslade () sprint ca>

I am, today, seeing an absolute flood of messages infected with the
Sobig.E worm.  It may be an anomaly, but the numbers I am seeing in my
own mail would seem to warrant some kind of warning.

Sobig spoofs message headers, so the email will appear to come from a legitimate 
address.  Most of the subject lines that I have received are "Re: Application": I've 
also received one "Re: Movie."  The body is always (in the ones I've received) 
"Please see the attached zip file for details."  The raw message size is always 
110K.  All of the messages I have received carry an attached file named 
"your_details.zi": note that the trailing "p" is missing.  This version carries a file 
named details.pif.  Note that two of the antivirals that I have run do *not* 
recognize the virus in the compressed form (your-details.zi) although they do 
recognize the executable file (details.pif).  I have also received a bounce message 
as a result of an infected message spoofed with my email address: this indicates 
that at least one email scanner does catch the infected message in the compressed 
form.  The MIME info in the message is as follows (and may be presented 
differently by different mailers):
--CSmtpMsgPart123X456_000_00C72C65
Content-Type: application/x-zip-compressed;
        name="your_details.zip"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
        filename="your_details.zi"


Note that Sobig is primarily a worm: it spreads through network shares.  (I can't 
see anyone dumb enough to rename the file, extract the contents, then run the 
executable and infect themselves ... no, wait, I *can* see people being dumb 
enough to do that ...)

At any rate, I'm seeing significant numbers this morning, and thought a heads-up 
would be a good idea.  More info can be found at 
http://www.f-secure.com/v-descs/sobig_e.shtml and 
http://www.sophos.com/virusinfo/analyses/w32sobige.html

======================  (quote inserted randomly by Pegasus Mailer)
rslade () vcn bc ca      slade () victoria tc ca      rslade () sun soci niu edu
Vikings?  There ain't no vikings here.  Just us honest farmers.
The town was burning, the villagers were dead.  They didn't need
those sheep anyway.  That's our story and we're sticking to it.
                                                      - Dan Sorenson
http://victoria.tc.ca/techrev    or    http://sun.soci.niu.edu/~rslade



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.
Previous By Date Next
Previous By Thread Next

Current thread: