|
- Readme First! -
Read and follow the rules, otherwise your posts will be closed |
|
|
|
|
|
There are currently, 455 guest(s) and 0 member(s) that are online.
You are Anonymous user. You can register for free by clicking here |
|
|
|
|
|
Someone is infected with some serious stuff! |
|
 I check my email this morning and lo and behold, over 500 messages from these email addresses:
schrock.7@osu.edu
mts@lebanon-online.com.lb
kavkeeper@mailgw.cvut.cz
3E35E0A8.7080204@guardiandigital.com
dave@guardiandigital.com
drove@vc.cvut.cz
rse@engelschall.com
austria@msdirectservices.com
J.Groenendijk@hro.nl
inet@microsoft.com
lendecke@math.uni-goettingen.de
info-line@microsoft.hr
InfoService@microsoft.at
ftpadmin@platan.vc.cvut.cz
info@trendsbv.nl
redactie@SURFnet.nl
WEBDOC@NOVELL.COM
edwinvaneggelen@softhome.net
licensing@divxnetworks.com
cadegdog@123box.co.uk
sophoscd@sophos.com
mswsgulf@microsoft.com
They all contain the .pif files and other nice worm goodies to infect your system. So I blacklisted those emails and now they are getting replies from my MTA pointing them here: anti-spam.html. They've all be listed under [KILL_EMAIL] with the exception of 'cadegdog@123box.co.uk' who has been [SPAM_EMAIL] listed locally. Watch out for these email addresses. They are not doing well right now.
|
|
Posted on Tuesday, August 19 @ 10:31:58 CEST by Zhen-Xjell |
|
|
|
|
| |
|
|
| | The comments are owned by the poster. We aren't responsible for their content. |
| | | | |
| No Comments Allowed for Anonymous, please register | | | | |
Re: Someone is infected with some serious stuff! (Score: 1)
by Zhen-Xjell on Tuesday, August 19 @ 10:38:15 CEST
(User Info | Send a Message) http://castlecops.com | More added just now:
hot-line@microsoft.hr
berg@schaapbliksem.nl
A.Dryak@sh.cvut.cz
rse@apache.org |
| | | | |
Re: Someone is infected with some serious stuff! (Score: 1)
by allevon on Tuesday, August 19 @ 10:49:19 CEST
(User Info | Send a Message) http://www.AlleVonTech.com | | Big Ouch! Based on those, I suspect someone in Either Germany, Austria, Holland UK or Czech got infected. It appears as if those are possibly friends in an address book and the virus is emailing it out to all of them. So Europeans should double check their systems whereas they may not know they have it. Of course, everyone should check their systems, especially if you have alot of European email addresses in your address book. |
| | | | |
Re: Someone is infected with some serious stuff! (Score: 1)
by Raven on Tuesday, August 19 @ 10:53:47 CEST
(User Info | Send a Message) http://ravenphpscripts.com | Computer Incident Response Team (CIRT)
Category: Intelligence Reports
------------------------------------------------------------------------
Contents:
HIGH 204909: SoBig.F Worm Gaining Ground in the Wild
HIGH 204910: SoBig.F Worm Compared to Other Variants
HIGH 204889: Welchia.RPC.A Worm Exploits DCOM RPC and WebDAV Vulnerabilities
HIGH 204888: W32/Lovsan.worm.d
MEDIUM 204903: Dumaru Worm Installs IRC Trojan
MEDIUM 204890: IRA Terrorist Splinter Group Was Reportedly Developing Four-Man Hacking Cell
LOW 204912: Randren Batch File Virus Discovered
LOW 204911: Randex.H Worm Exploits Weakly Protected Network Shares
LOW 204905: Bardiel Worm Corrupts Target Files
LOW 204907: Lemir.C Trojan Steals Game Passwords
LOW 204908: Troj.AnalogX Trojan Provides Backdoor Access
LOW 204900: Cassandra Polymorphic Virus Being Developed
LOW 204896: Sincom.dr Trojan Horse Installs Sincom Password-Stealing Trojan Horse
LOW 204891: Ferlect Tool Facilitates Distributed Denial of Service Attack
MINIMAL 204906: Gartner: One-Fifth of Enterprises to Experience Major Internet Security Incident
MINIMAL 204897: ArabSecure.net to Monitor Hackers
HIGH Threat
8/19/2003@12:45:08GMT ID#204909:
SoBig.F Worm Gaining Ground in the Wild: SoBig.F, a new variant of the
SoBig worm, has been discovered in the wild. SoBig.F is 72,568 bytes in
size and spreads to computers running Microsoft Windows operating
systems.
SoBig.F spreads as an e-mail worm, usually with a PIF attachment, and
possibly as a network-shares worm. E-mails sent by SoBig.F possess the
following characteristics:
One of the following Subjects:
• Re: Approved
• Re: Details
• Re: Re: My details
• Re: Thank you!
• Re: That movie
• Re: Wicked screensaver
• Re: Your application
• Thank you!
• Your details
One of the following Messages:
• Please see the attached file for details.
• See the attached file for details
One of the following Attachments:
• application.pif
• details.pif
• document_9446.pif
• document_all.pif
• movie0045.pif
• thank_you.pif
• wicked_scr.scr
• your_details.pif
• your_document.pif
If the malicious attachment executes, SoBig.F installs a copy of itself
into the Windows directory as the file winppr32.exe. SoBig.F modifies
the Windows registry to run the worm upon Windows start-up:
HKLMSoftwareMicrosoftWindowsCurrentVersionRun
TrayX=C:Windows directorywinppr32.exe /sinc
HKCUSoftwareMicrosoftWindowsCurrentVersionRun
TrayX=C:Windows directorywinppr32.exe /sinc
This SoBig variant adds junk bytes to the end of its malicious code file
to vary the file size and make detection difficult.
Sources: AVIEN, Aug. 19, 2003
iDEFENSE Intelligence Operations, Aug. 19, 2003
Norman ASA (http://www.norman.com/virus_info/w32_sobig_f_mm.shtml), Aug.
19, 2003
Network Associates Inc./McAfee.com
(http://vil.nai.com/vil/content/v_100561.htm), Aug. 19, 2003
Computer Associates
(http://www3.ca.com/solutions/collateral.asp?CT=27081&CID=49259), Aug.
19, 2003
Analysis: (iDEFENSE US) This mass-mailing worm is a variant of the
SoBig family. More than 10,000 copies of this worm have been seen in the
wild at the time of this writing.
There are also indications that Sobig.F will stop replicating on Sept.
10, 2003, one day before the Sept. 11 anniversary. Other variants of
Read the rest of this comment... |
| | | | |
Re: Someone is infected with some serious stuff! (Score: 1)
by Ronin on Tuesday, August 19 @ 12:46:35 CEST
(User Info | Send a Message) | Doesn't that virus put in a bogus "from" email address. Basically it searches an infected PC's drives for any email addresses then forwards itself using these addresses as the from: field.
Maybe I read it wrong..... |
| | | | | |
