John2gQui Tacet Consentit Premium Member join:2001-08-10 England
|
John2g
Premium Member
2003-Aug-19 6:24 am
W32/Sobig.F-mmWarning: dangerous new variant of "Sobig" family spreading On 18th August 2003, MessageLabs the email security company intercepted several copies of a mass-mailing virus which were identified as W32/Sobig.F-mm. The initial copies all originated from the United States. Name: W32/Sobig.F-mm Number of copies intercepted so far: 1,124 (increasing rapidly) Time & Date first Captured: 18 Aug 2003 21:04 GMT Origin of first intercepted copy: United States Most active country: United States (95%), Denmark (3%), Norway (1%) Characteristics Initial analysis would suggest that Sobig.F is a mass-emailing virus that is spreading very vigorously. Sobig.F appears to be polymorphic in nature and the email from: address is also spoofed and may not indicate the true identity of the sender. In earlier versions of the Sobig family, the file extension has sometimes been truncated. MessageLabs have not yet observed this with the Sobig.F strain. The email may also comprise the following characteristics: Subject: Re: Details Text: Please see the attached file for details. Attachment names may include: your_document.pif, details.pif, your_details.pif, thank_you.pif, movie0045.pif, document_Fall.pif, application.pif, document_9446.pif In an attempt to bypass local antivirus security, the file size varies on each generation reminiscent of Yaha by appending rubbish to the end of the file, but is on average around 74kb in size. The initial copies are packed using TELock, but there may be other variants in the wild packed using different packers. Now detected by Symantec: » securityresponse.symante ··· @mm.htmland Sophos: » www.sophos.com/virusinfo ··· igf.html[text was edited by author 2003-08-19 07:26:19] |
|
kpatzMY HEAD A SPLODE Premium Member join:2003-06-13 Manchester, NH
|
kpatz
Premium Member
2003-Aug-19 8:21 am
Just what we need, another Sobig variant. This one looks like it's closer to Sobig.A than the B through E variants were. Sobig.A is the email virus/worm I've seen the most this year.
Also, the reason the suffix sometimes gets truncated on the attachment is because of a bug in the worm when it encodes the attachment. It leaves off the ending quote on the filename in the MIME header. Some clients handle this OK, some truncate the last character, and some ignore the name entirely, using something like "UNKNOWN_PARAMETER_VALUE" instead.
KJP [text was edited by author 2003-08-19 08:22:17] |
|
kpatz |
kpatz
Premium Member
2003-Aug-19 9:27 am
Symantec has updated its write-up. It spreads as a .zip file, like Sobig.E, and has a self-updating capability, as well as planting backdoors to allow installing spam relays or IRC trojans. It's also a Category 3 now, like I predicted. Symantec writeup on W32.Sobig.F@mm |
|
|
2kmaroThink
join:2000-07-11 Oklahoma City, OK |
And more info for anyone wanting to read up on it: » www.f-secure.com/v-descs ··· _f.shtml from F-Secure. Y'all be careful now, y'hear! |
|
kpatzMY HEAD A SPLODE Premium Member join:2003-06-13 Manchester, NH |
kpatz
Premium Member
2003-Aug-19 12:33 pm
Ok, discrepancy alert here. Symantec's writeup says Sobig.F spreads as a zipped attachment (like Sobig.E did). I looked on McAfee, Trend, and F-Secure's sites and they state the attachment is a straight, non-zipped .pif (or .scr) file.
I'm betting with the majority and assuming the attachment isn't zipped. Can anyone who's seen this beast firsthand confirm or deny this? |
|
|
to John2g
I have been receiving emails with attachments that have not been zipped. 27 so far. The are simply .pif extensions. All originating from the same mail domain according to the headers. Does this mean anything? It is a friend of mine's network, specifically his mail domain.
Should I contact his sys admin?
Andrew |
|
kpatzMY HEAD A SPLODE Premium Member join:2003-06-13 Manchester, NH |
kpatz
Premium Member
2003-Aug-19 12:47 pm
If this variant is like other Sobigs I've seen, it will typically HELO/EHLO with the infected machine's name, and this will be shown in one of the Received: headers. (you'll see something like HELO=xxxxx or EHLO=xxxxx). This, in addition to the sending IP address, can help narrow down the specific box that's infected.
Switching gears, I got the latest F-prot defs (dated 8/19) but Sobig.F isn't listed. I'm guessing they'll be posting an update later on, even though their description says the 8/19 sigs include it...
KJP |
|
|
to John2g
Nod32 with current update catches it. Good to know, that it actually works. |
|
|
to John2g
Contacted the sys admin.
Her server was not logged on correctly so the new Symantec definitions did not spread through the network.
Turns out it was friends machine that was infected.
Symantec defs detect this as of today |
|
Zhen-XjellProlific Bunny
join:2000-10-08 Bordentown, NJ |
to John2g
» www.nukecops.com/article ··· 0-0.htmlI got hit up by a dozen emails that seemed to have been infected very large. Ouch! |
|
|
to John2g
Just Posted at the Internet Storm Center » isc.sans.org/diary.html? ··· 03-08-19Handlers Diary August 19th 2003 Updated August 19th 2003 12:34 EDT SOBIG.F A new variant of the SOBIG worm is spreading fast. Best practice to do now: - update anti-virus scanners, both on desktops, servers and security perimeters - communicate safe email handling instructions to all users (do not open unsolicited attachments, no matter how tempting the instructions or title are) - block incoming UDP ports 995 - 999 - block outgoing UDP ports 8998 - monitor for outgoing UDP port 123 traffic (used by NTP clients as well) for signs of infection This new variant is rather successful at spreading. Read more at: » www.sarc.com/avcenter/ve ··· @mm.html» www.trendmicro.com/vinfo ··· _SOBIG.F» us.mcafee.com/virusInfo/ ··· k=100561» www.sophos.com/virusinfo ··· igf.html» www.europe.f-secure.com/ ··· _f.shtml |
|
Schouw Premium Member join:2003-05-29 Netherlands |
to John2g
Kaspersky has a write up as well. One can read it here (Post number 500) |
|
mboy Premium Member join:2001-04-13 Little Falls, NJ |
to John2g
One of my users has been getting slammed by it all day. Someone on the Norvergence network. Now I have to manually patch all my workstations with ther new driectx patch, can't even push this one out. |
|
Allnew MVM join:2003-02-01 Denmark- EU. |
to Schouw
said by Schouw: Kaspersky has a write up as well. One can read it here
(Post number 500)
CONGRATS!!! |
|
SteveI know your IP address
join:2001-03-10 Tustin, CA |
to John2g
What a pain in the ass: these are everywhere. Those running the PostFix mail system can use header checks to reject these infected emails, and it's kicked out 40 of them in the last hour or so that I've been running this. Unixwiz.net Tech Tip: Rejecting SOBIG.F Virus Emails from Postfix |
|
Schouw Premium Member join:2003-05-29 Netherlands |
to Allnew
said by Allnew:
CONGRATS!!!
Thanks. Everyone seems to be get hit by this, except me.. Anyone willing to send me a sample please contact me via IM. |
|
|
to John2g
Holy crap -- we use FirstClass e-mail/conferencing groupware where I work (sort of like Novell GroupWise), and every 10 seconds, a new message pops up in the various conferences and mailboxes with a paired friend from our e-mail virus scanner -- noting that an attachment has been deleted. This is nuts!
IronChefMorimoto |
|
Zhen-XjellProlific Bunny
join:2000-10-08 Bordentown, NJ |
to Steve
said by Steve: Those running the PostFix mail system can use header checks to reject these infected emails, and it's kicked out 40 of them in the last hour or so that I've been running this.
Nice, that prompted me share mine for Sendmail. We've about covered it except for EXIM. Details are here: » www.nukecops.com/article521.html |
|
Chizep Premium Member join:2002-04-07 Concord, NC |
to John2g
Wow, I have received a ton of notifications from the symantec AV/F for exchange here at work today. In the last 4 hours, every single notification has been for W32.Sobig.F.
Glad I decided to do an intelligent update on our SAV parent server today.... |
|
DannyZGentoo Fanboy Premium Member join:2003-01-29 united state |
to John2g
I found this in my inbox today, I took one look at it and knew it was a virus, and deleted it I really can't understand how crap like this propagates, if ya just look at it, ya know it's up to no good |
|
Chizep Premium Member join:2002-04-07 Concord, NC |
to John2g
Oh yeah, all of these emails have had .pif files attached. |
|
kpatzMY HEAD A SPLODE Premium Member join:2003-06-13 Manchester, NH |
kpatz
Premium Member
2003-Aug-19 3:35 pm
I got one with a .scr file attached. Same difference though.
F-prot does detect Sobig.F with the 8/19 defs, even though it doesn't appear in the list when I do a "f-prot -virlist". They must have forgotten to "list" it, even though the sig exists and it will report as W32/Sobig.F.
KJP |
|
Ben CiscoEmbrace Intellect Premium Member join:2001-12-13 Wormhole |
to John2g
Here's the one I've been watching all day...(NAV killed the actual virus at the server)...
Received: (from MRAMSLER [204.66.110.164]) by system.net (NAVGW 2.5.2.12) with SMTP id M2003081914265816808 for ; Tue, 19 Aug 2003 14:26:59 -0400 X-Sybari-Trust: 26852b51 0f2b92c8 74feebe1 00000138 From: To: Subject: Re: That movie Date: Tue, 19 Aug 2003 13:26:58 --0500 X-MailScanner: Found to be clean Importance: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MSMail-Priority: Normal X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="_NextPart_000_18E05091"
This is a multipart message in MIME format
--_NextPart_000_18E05091 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit
--_NextPart_000_18E05091 Content-Type: application/octet-stream; name="document_9446.pif" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="document_9446.pif"
--_NextPart_000_18E05091--
Please see the attached file for details. -----------------------
IPs resolved to state owned servers in PA and TX, so far...but they are probably spoofed. |
|
Sarah
join:2001-01-09 New York, NY
|
to John2g
Bleh. My e-mail was used as a randomly selected "from" field address on some infected machine, so now I am not only getting angry e-mails, but everyone who opens it and infects their computer immediately sends it back to me, so I have gotten 18 19 copies of it in the last hour or so. Idiots. Thankfully I run Mailwasher, which flags them (like it wasn't obvious enough when I got 9 e-mails with attachments from different people entitled "Re: Approval") and then I can delete it from the server without downloading it. Edit: Got another one as I wrote this. [text was edited by author 2003-08-19 15:50:53] |
|
kpatzMY HEAD A SPLODE Premium Member join:2003-06-13 Manchester, NH |
to Ben Cisco
quote: X-MailScanner: Found to be clean
I saw this header in the sample I received too. I wonder if Sobig.F inserts that when it generates the email, or if both our samples went through a gateway scanner that missed the infection! |
|
|
to John2g
This one has been responsible for many of the ones were getting today.
*********************
Microsoft Mail Internet Headers Version 2.0 Received: from IBM-12E8D71C726 ([66.171.136.162]) my e-mail server name with my server build; Tue, 19 Aug 2003 12:52:32 -0700 From: To: my domain name.com> Subject: Re: Wicked screensaver Date: Tue, 19 Aug 2003 15:11:49 --0400 X-MailScanner: Found to be clean Importance: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MSMail-Priority: Normal X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="_NextPart_000_003F3B51" Return-Path: Mummel77@localnet.com Message-ID: message id: 19 Aug 2003 19:52:32.0391 (UTC) FILETIME=[6DBA2970:01C3668B]
--_NextPart_000_003F3B51 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit
--_NextPart_000_003F3B51 Content-Type: application/octet-stream; name="thank_you.pif" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="thank_you.pif"
--_NextPart_000_003F3B51--
*********************
66.171.136.162
Whois: Final results obtained from whois.arin.net. Results:
OrgName: Verizon Avenue OrgID: VRAV Address: 12901 Worldgate Drive City: Herndon StateProv: VA PostalCode: 20170 Country: US
NetRange: 66.171.0.0 - 66.171.191.255 CIDR: 66.171.0.0/17, 66.171.128.0/18 NetName: VZ-AVENUE NetHandle: NET-66-171-0-0-1 Parent: NET-66-0-0-0-0 NetType: Direct Allocation NameServer: NS1.VZAVENUE.NET NameServer: NS2.VZAVENUE.NET Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE RegDate: 2001-09-19 Updated: 2003-03-26
TechHandle: AK589-ARIN TechName: Kandil, Ahmed TechPhone: +1-703-375-4700 TechEmail: Broad.eng@verizon.com
OrgTechHandle: AK589-ARIN OrgTechName: Kandil, Ahmed OrgTechPhone: +1-703-375-4700 OrgTechEmail: Broad.eng@verizon.com
# ARIN WHOIS database, last updated 2003-08-18 19:15 # Enter ? for additional hints on searching ARIN's WHOIS database. |
|
kpatzMY HEAD A SPLODE Premium Member join:2003-06-13 Manchester, NH |
kpatz
Premium Member
2003-Aug-19 4:05 pm
Here's the headers from one of my samples:
X-Apparently-To: ********@yahoo.com via 216.136.175.18; Tue, 19 Aug 2003 12:49:02 -0700 X-YahooFilteredBulk: 216.127.236.254 Return-Path: <theta@theta-ent.com> Received: from 216.127.236.254 (EHLO RROEDGER3) (216.127.236.254) by mta143.mail.sc5.yahoo.com with SMTP; Tue, 19 Aug 2003 12:48:59 -0700 From: theta@theta-ent.com To: ********@yahoo.com Subject: Re: Re: My details Date: Tue, 19 Aug 2003 14:48:59 --0500 X-MailScanner: Found to be clean Importance: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MSMail-Priority: Normal X-Priority: 3 (Normal) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="_NextPart_000_0152DE71" Content-Length: 71398
Please see the attached file for details.
application.pif was attached.
Reverse DNS on 216.127.236.254: 216-127-236-254.focaldata.net
whois 216.127.236.254@whois.arin.net [whois.arin.net] Focal Communications THEFIXNETWORK (NET-216-127-224-0-1) 216.127.224.0 - 216.127.255.255 Focal Information Systems FOCC-FOCALIS-CHI-1 (NET-216-127-236-128-1) 216.127.236.128 - 216.127.236.255
# ARIN WHOIS database, last updated 2003-08-18 19:15 # Enter ? for additional hints on searching ARIN's WHOIS database. |
|
|
to John2g
I have never been infected with an email virus but I was wondering if you were, and your computer was sending out the infected mail, would it show in your sent mail folder?
Thanks! |
|
SteveI know your IP address
join:2001-03-10 Tustin, CA |
Steve
2003-Aug-19 4:21 pm
This one: no. It has its own SMTP engine, so it doesn't go through the mechanisms of your email client. All it does is chew up your bandwidth and make you look like an idiot to your friends Steve |
|
|
Thanks Steve! |
|