Sobig.F

[vickero007]

Some of my users are getting a lot (30/day) of emails like the on below. The From shows the same address as is shown in the email. I've ran Norton AV over each machine and tried the Sobig.E tool with no luck. Any ideas??


Norton AntiVirus found a virus in an attachment from jwalls@gooselake.com.

Attachment: your_document.pif
Virus name: W32.Sobig.F@mm
Action taken: Clean failed : Quarantine succeeded :
File status: Infected


-Volkoff007

 

[manarth]

It looks like someone else's machine is infected. Sobig picks a random address from the victim's address book and uses that address as the "sender" when it sends its infected emails.

Check the header of the email to find the IP address of the sender, then use the IP address to report it to the ISP or responsible company.

<marc> i wonder what will happen if i press this...[ul][li]please give feedback on what works / what doesn't[/li][li]need some help? how to get a better answer: faq581-3339[/li][/ul]

 

[carrr]

Check out this info on the .F variant...

http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100561

Also, McAfee's Stinger is a handy floppy-sized utility that includes detection/removal schema for this and the other prominent virii at the moment:

http://download.nai.com/products/mcafee-avert/stinger.exe

 

[2ffat]

This is a royal pain. I've gotten 21 e-mails with the virus attached and that was before 8:00 am EDT. Each one claimed to have come from a different e-mail address but in tracking back the headers, I've found they have come from only 5 different IP addresses. Unfortunatly, these belong to ISPs so it is hard to say if they are static or dial-up accounts.

What really bites, though, are the emails from people who complain we are sending them the virus. (One was from a state representative in the Texas state house.) None of whom I know. In going over the headers in the original e-mails (where I can), these are also coming from those 5 IP addresses!

One way to check if you have this virus is to search your computer(s) for the file winppr32.exe. You can also check your Registry for these entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\TrayX = <Windows folder>\winppr32.exe /sinc

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\TrayX = <Windows folder<\winppr32.exe /sinc

See

http://www.us.sophos.com/virusinfo/analyses/w32sobigf.html

for more info.

James P. Cottingham

When a man sits with a pretty girl for an hour, it seems like a minute. But let him sit on a hot stove for a minute and it's longer than any hour. That's relativity.
[tab][tab]Albert Einstein explaining his Theory of Relativity to a group of journalists.

 

[GlenJohnson]

http://www.us.sophos.com/virusinfo/analyses/w32sobigf.html

and

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOBIG.F

Glen A. Johnson
Johnson Computer Consulting
MCP W2K
glen@nellsgiftbox.com

http://www.johnsoncomputers.us

Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884

&quot;Once the game is over, the king and the pawn return to the same box.&quot;