dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
9348

John2g
Qui Tacet Consentit
Premium Member
join:2001-08-10
England

John2g

Premium Member

W32/Sobig.F-mm

Warning: dangerous new variant of "Sobig" family spreading

On 18th August 2003, MessageLabs the email security company intercepted several copies of a mass-mailing virus which were identified as W32/Sobig.F-mm. The initial copies all originated from the United States.

Name: W32/Sobig.F-mm
Number of copies intercepted so far: 1,124 (increasing rapidly)
Time & Date first Captured: 18 Aug 2003 21:04 GMT
Origin of first intercepted copy: United States
Most active country: United States (95%), Denmark (3%), Norway (1%)

Characteristics
Initial analysis would suggest that Sobig.F is a mass-emailing virus that is spreading very vigorously. Sobig.F appears to be polymorphic in nature and the email from: address is also spoofed and may not indicate the true identity of the sender. In earlier versions of the Sobig family, the file extension has sometimes been truncated. MessageLabs have not yet observed this with the Sobig.F strain.

The email may also comprise the following characteristics:
Subject: Re: Details
Text:
Please see the attached file for details.

Attachment names may include: your_document.pif, details.pif, your_details.pif, thank_you.pif, movie0045.pif, document_Fall.pif, application.pif, document_9446.pif

In an attempt to bypass local antivirus security, the file size varies on each generation reminiscent of Yaha by appending rubbish to the end of the file, but is on average around 74kb in size. The initial copies are packed using TELock, but there may be other variants in the wild packed using different packers.

Now detected by Symantec: »securityresponse.symante ··· @mm.html

and Sophos: »www.sophos.com/virusinfo ··· igf.html
[text was edited by author 2003-08-19 07:26:19]
kpatz
MY HEAD A SPLODE
Premium Member
join:2003-06-13
Manchester, NH

kpatz

Premium Member

Just what we need, another Sobig variant. This one looks like it's closer to Sobig.A than the B through E variants were. Sobig.A is the email virus/worm I've seen the most this year.

Also, the reason the suffix sometimes gets truncated on the attachment is because of a bug in the worm when it encodes the attachment. It leaves off the ending quote on the filename in the MIME header. Some clients handle this OK, some truncate the last character, and some ignore the name entirely, using something like "UNKNOWN_PARAMETER_VALUE" instead.

KJP
[text was edited by author 2003-08-19 08:22:17]
kpatz

kpatz

Premium Member

Symantec has updated its write-up. It spreads as a .zip file, like Sobig.E, and has a self-updating capability, as well as planting backdoors to allow installing spam relays or IRC trojans.

It's also a Category 3 now, like I predicted.

Symantec writeup on W32.Sobig.F@mm

2kmaro
Think

join:2000-07-11
Oklahoma City, OK

2kmaro

And more info for anyone wanting to read up on it:
»www.f-secure.com/v-descs ··· _f.shtml from F-Secure.

Y'all be careful now, y'hear!
kpatz
MY HEAD A SPLODE
Premium Member
join:2003-06-13
Manchester, NH

kpatz

Premium Member

Ok, discrepancy alert here. Symantec's writeup says Sobig.F spreads as a zipped attachment (like Sobig.E did). I looked on McAfee, Trend, and F-Secure's sites and they state the attachment is a straight, non-zipped .pif (or .scr) file.

I'm betting with the majority and assuming the attachment isn't zipped. Can anyone who's seen this beast firsthand confirm or deny this?
Unhygienix
join:2001-11-07
Stouffville, ON

Unhygienix to John2g

Member

to John2g
I have been receiving emails with attachments that have not been zipped. 27 so far. The are simply .pif extensions. All originating from the same mail domain according to the headers. Does this mean anything? It is a friend of mine's network, specifically his mail domain.

Should I contact his sys admin?

Andrew
kpatz
MY HEAD A SPLODE
Premium Member
join:2003-06-13
Manchester, NH

kpatz

Premium Member

If this variant is like other Sobigs I've seen, it will typically HELO/EHLO with the infected machine's name, and this will be shown in one of the Received: headers. (you'll see something like HELO=xxxxx or EHLO=xxxxx). This, in addition to the sending IP address, can help narrow down the specific box that's infected.

Switching gears, I got the latest F-prot defs (dated 8/19) but Sobig.F isn't listed. I'm guessing they'll be posting an update later on, even though their description says the 8/19 sigs include it...

KJP
JustPokeRoun
join:2002-01-29
NJ

JustPokeRoun to John2g

Member

to John2g
Nod32 with current update catches it. Good to know, that it actually works.
Unhygienix
join:2001-11-07
Stouffville, ON

Unhygienix to John2g

Member

to John2g
Contacted the sys admin.

Her server was not logged on correctly so the new Symantec definitions did not spread through the network.

Turns out it was friends machine that was infected.

Symantec defs detect this as of today

Zhen-Xjell
Prolific Bunny

join:2000-10-08
Bordentown, NJ

Zhen-Xjell to John2g

to John2g
»www.nukecops.com/article ··· 0-0.html

I got hit up by a dozen emails that seemed to have been infected very large. Ouch!

CalamityJane
Premium Member
join:2002-08-27
Eustis, FL

CalamityJane to John2g

Premium Member

to John2g
Just Posted at the Internet Storm Center

»isc.sans.org/diary.html? ··· 03-08-19

Handlers Diary August 19th 2003
Updated August 19th 2003 12:34 EDT
SOBIG.F
A new variant of the SOBIG worm is spreading fast.

Best practice to do now:

- update anti-virus scanners, both on desktops, servers and security perimeters

- communicate safe email handling instructions to all users (do not open unsolicited attachments, no matter how tempting the instructions or title are)

- block incoming UDP ports 995 - 999

- block outgoing UDP ports 8998

- monitor for outgoing UDP port 123 traffic (used by NTP clients as well) for signs of infection

This new variant is rather successful at spreading.

Read more at:

»www.sarc.com/avcenter/ve ··· @mm.html
»www.trendmicro.com/vinfo ··· _SOBIG.F
»us.mcafee.com/virusInfo/ ··· k=100561
»www.sophos.com/virusinfo ··· igf.html
»www.europe.f-secure.com/ ··· _f.shtml
Schouw
Premium Member
join:2003-05-29
Netherlands

Schouw to John2g

Premium Member

to John2g
Kaspersky has a write up as well.
One can read it here

(Post number 500)

mboy
Premium Member
join:2001-04-13
Little Falls, NJ

mboy to John2g

Premium Member

to John2g
One of my users has been getting slammed by it all day. Someone on the Norvergence network.
Now I have to manually patch all my workstations with ther new driectx patch, can't even push this one out.

Allnew
MVM
join:2003-02-01
Denmark- EU.

Allnew to Schouw

MVM

to Schouw
said by Schouw:
Kaspersky has a write up as well.
One can read it here

(Post number 500)
CONGRATS!!!

Steve
I know your IP address

join:2001-03-10
Tustin, CA

Steve to John2g

to John2g
What a pain in the ass: these are everywhere.

Those running the PostFix mail system can use header checks to reject these infected emails, and it's kicked out 40 of them in the last hour or so that I've been running this.

Unixwiz.net Tech Tip: Rejecting SOBIG.F Virus Emails from Postfix
Schouw
Premium Member
join:2003-05-29
Netherlands

Schouw to Allnew

Premium Member

to Allnew
said by Allnew:


CONGRATS!!!
Thanks.

Everyone seems to be get hit by this, except me..
Anyone willing to send me a sample please contact me via IM.

IronChefMoto
Premium Member
join:2001-02-08
Atlanta, GA

IronChefMoto to John2g

Premium Member

to John2g
Holy crap -- we use FirstClass e-mail/conferencing groupware where I work (sort of like Novell GroupWise), and every 10 seconds, a new message pops up in the various conferences and mailboxes with a paired friend from our e-mail virus scanner -- noting that an attachment has been deleted. This is nuts!

IronChefMorimoto

Zhen-Xjell
Prolific Bunny

join:2000-10-08
Bordentown, NJ

Zhen-Xjell to Steve

to Steve
said by Steve:
Those running the PostFix mail system can use header checks to reject these infected emails, and it's kicked out 40 of them in the last hour or so that I've been running this.


Nice, that prompted me share mine for Sendmail. We've about covered it except for EXIM.

Details are here:

»www.nukecops.com/article521.html

Chizep
Premium Member
join:2002-04-07
Concord, NC

Chizep to John2g

Premium Member

to John2g
Wow, I have received a ton of notifications from the symantec AV/F for exchange here at work today. In the last 4 hours, every single notification has been for W32.Sobig.F.

Glad I decided to do an intelligent update on our SAV parent server today....

DannyZ
Gentoo Fanboy
Premium Member
join:2003-01-29
united state

DannyZ to John2g

Premium Member

to John2g
I found this in my inbox today, I took one look at it and knew it was a virus, and deleted it

I really can't understand how crap like this propagates, if ya just look at it, ya know it's up to no good

Chizep
Premium Member
join:2002-04-07
Concord, NC

Chizep to John2g

Premium Member

to John2g
Oh yeah, all of these emails have had .pif files attached.
kpatz
MY HEAD A SPLODE
Premium Member
join:2003-06-13
Manchester, NH

kpatz

Premium Member

I got one with a .scr file attached. Same difference though.

F-prot does detect Sobig.F with the 8/19 defs, even though it doesn't appear in the list when I do a "f-prot -virlist". They must have forgotten to "list" it, even though the sig exists and it will report as W32/Sobig.F.

KJP

Ben Cisco
Embrace Intellect
Premium Member
join:2001-12-13
Wormhole

Ben Cisco to John2g

Premium Member

to John2g
Here's the one I've been watching all day...(NAV killed the actual virus at the server)...

Received: (from MRAMSLER [204.66.110.164])
by system.net (NAVGW 2.5.2.12) with SMTP id M2003081914265816808
for ; Tue, 19 Aug 2003 14:26:59 -0400
X-Sybari-Trust: 26852b51 0f2b92c8 74feebe1 00000138
From:
To:
Subject: Re: That movie
Date: Tue, 19 Aug 2003 13:26:58 --0500
X-MailScanner: Found to be clean
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="_NextPart_000_18E05091"

This is a multipart message in MIME format

--_NextPart_000_18E05091
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

--_NextPart_000_18E05091
Content-Type: application/octet-stream;
name="document_9446.pif"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="document_9446.pif"

--_NextPart_000_18E05091--

Please see the attached file for details.
-----------------------

IPs resolved to state owned servers in PA and TX, so far...but they are probably spoofed.

Sarah

join:2001-01-09
New York, NY

Sarah to John2g

to John2g
Bleh. My e-mail was used as a randomly selected "from" field address on some infected machine, so now I am not only getting angry e-mails, but everyone who opens it and infects their computer immediately sends it back to me, so I have gotten 18 19 copies of it in the last hour or so.

Idiots.

Thankfully I run Mailwasher, which flags them (like it wasn't obvious enough when I got 9 e-mails with attachments from different people entitled "Re: Approval") and then I can delete it from the server without downloading it.

Edit: Got another one as I wrote this.
[text was edited by author 2003-08-19 15:50:53]
kpatz
MY HEAD A SPLODE
Premium Member
join:2003-06-13
Manchester, NH

kpatz to Ben Cisco

Premium Member

to Ben Cisco
quote:
X-MailScanner: Found to be clean
I saw this header in the sample I received too. I wonder if Sobig.F inserts that when it generates the email, or if both our samples went through a gateway scanner that missed the infection!

dsldisaster
join:2001-05-02
San Jose, CA

dsldisaster to John2g

Member

to John2g
This one has been responsible for many of the ones were getting today.

*********************

Microsoft Mail Internet Headers Version 2.0
Received: from IBM-12E8D71C726 ([66.171.136.162]) my e-mail server name with my server build;
Tue, 19 Aug 2003 12:52:32 -0700
From:
To: my domain name.com>
Subject: Re: Wicked screensaver
Date: Tue, 19 Aug 2003 15:11:49 --0400
X-MailScanner: Found to be clean
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="_NextPart_000_003F3B51"
Return-Path: Mummel77@localnet.com
Message-ID: message id: 19 Aug 2003 19:52:32.0391 (UTC) FILETIME=[6DBA2970:01C3668B]

--_NextPart_000_003F3B51
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

--_NextPart_000_003F3B51
Content-Type: application/octet-stream;
name="thank_you.pif"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="thank_you.pif"

--_NextPart_000_003F3B51--

*********************

66.171.136.162

Whois:
Final results obtained from whois.arin.net.
Results:

OrgName: Verizon Avenue
OrgID: VRAV
Address: 12901 Worldgate Drive
City: Herndon
StateProv: VA
PostalCode: 20170
Country: US

NetRange: 66.171.0.0 - 66.171.191.255
CIDR: 66.171.0.0/17, 66.171.128.0/18
NetName: VZ-AVENUE
NetHandle: NET-66-171-0-0-1
Parent: NET-66-0-0-0-0
NetType: Direct Allocation
NameServer: NS1.VZAVENUE.NET
NameServer: NS2.VZAVENUE.NET
Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE
RegDate: 2001-09-19
Updated: 2003-03-26

TechHandle: AK589-ARIN
TechName: Kandil, Ahmed
TechPhone: +1-703-375-4700
TechEmail: Broad.eng@verizon.com

OrgTechHandle: AK589-ARIN
OrgTechName: Kandil, Ahmed
OrgTechPhone: +1-703-375-4700
OrgTechEmail: Broad.eng@verizon.com

# ARIN WHOIS database, last updated 2003-08-18 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.
kpatz
MY HEAD A SPLODE
Premium Member
join:2003-06-13
Manchester, NH

kpatz

Premium Member

Here's the headers from one of my samples:

X-Apparently-To: ********@yahoo.com via 216.136.175.18; Tue, 19 Aug 2003 12:49:02 -0700
X-YahooFilteredBulk: 216.127.236.254
Return-Path: <theta@theta-ent.com>
Received: from 216.127.236.254 (EHLO RROEDGER3) (216.127.236.254) by mta143.mail.sc5.yahoo.com with SMTP; Tue, 19 Aug 2003 12:48:59 -0700
From: theta@theta-ent.com
To: ********@yahoo.com
Subject: Re: Re: My details
Date: Tue, 19 Aug 2003 14:48:59 --0500
X-MailScanner: Found to be clean
Importance: Normal
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MSMail-Priority: Normal
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="_NextPart_000_0152DE71"
Content-Length: 71398

Please see the attached file for details.

application.pif was attached.

Reverse DNS on 216.127.236.254: 216-127-236-254.focaldata.net

whois 216.127.236.254@whois.arin.net
[whois.arin.net]
Focal Communications THEFIXNETWORK (NET-216-127-224-0-1)
216.127.224.0 - 216.127.255.255
Focal Information Systems FOCC-FOCALIS-CHI-1 (NET-216-127-236-128-1)
216.127.236.128 - 216.127.236.255

# ARIN WHOIS database, last updated 2003-08-18 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.
Just Basics
join:2003-06-08
Painter, VA

Just Basics to John2g

Member

to John2g
I have never been infected with an email virus but I was wondering if you were, and your computer was sending out the infected mail, would it show in your sent mail folder?

Thanks!

Steve
I know your IP address

join:2001-03-10
Tustin, CA

Steve

This one: no. It has its own SMTP engine, so it doesn't go through the mechanisms of your email client. All it does is chew up your bandwidth and make you look like an idiot to your friends

Steve
Just Basics
join:2003-06-08
Painter, VA

Just Basics

Member

Thanks Steve!