cancel
Showing results for 
Search instead for 
Did you mean: 

WARNING: New W32.Sobig worm varient

N/A

WARNING: New W32.Sobig worm varient

A new varient of the sobig worm emmerged over the last week, and it is casuing as much havok as allways.

Allthough you may be protected from previous versions, it seems this one is slipping the net.

Virus centers
Norton information

News
Auto-responders magnify Sobig problem
Sobig-F is fastest growing virus ever - official

When receiving the worm, you will see attachments with the following extentions

  • .dbx
  • .eml
  • .hlp
  • .htm
  • .html
  • .mht
  • .wab
  • .txt


The subject can be one of the following.

  • Re: Details
  • Re: Approved
  • Re: Re: My details
  • Re: Thank you!
  • Re: That movie
  • Re: Wicked screensaver
  • Re: Your application
  • Thank you!
  • Your details


The body can be one of the following

  • See the attached file for details
  • Please see the attached file for details
16 REPLIES
N/A

WARNING: New W32.Sobig worm varient

I had a couple of these messages yesterday from various fake addresses including aol.com and rackspace.net.
N/A

WARNING: New W32.Sobig worm varient

You will only ever get them from fake addresses.

Our spam dump at work produces about 2 viruses a week, since yesterday, I have now seen a leap to 35.

SO this looks as if it is to become very bad.
N/A

WARNING: New W32.Sobig worm varient

received 6 copies of this already, also started getting the occasional "mail blocked" or returned delivery message so i'm thinking it may have executed itself before i updated my norton definitions...
did a full scan and it came up clean so im hoping it's not sending out emails without me knowing...
N/A

WARNING: New W32.Sobig worm varient

I ahve set my firewall to block all outgoing connection on port 25 then allowed all connections to relay.plus.net

Better safer than sorry.
Community Veteran
Posts: 6,983
Thanks: 8
Registered: 10-04-2007

WARNING: New W32.Sobig worm varient

These are now turning up in droves with my mail.
Looks like its got a good hold out there.

Incidently Mailwasher is actually reporting that these are a possible virus?
I wasn't aware that Mailwasher had that funcionality but it's good news if it has. Smiley
N/A

sobig

I just got about 70 of these emails fitting the description as above (subject headings, attachment names). Some notable differences: 1. on my Mac 9 OE 5 the attachment formats are PIF or SCR, 2. the vast majority of messages are from .at addresses (austria?), 3. [what really bothers me] I'm also getting "mail undeliverable" messages from the virus washers at ISP's saying that I've been sending out these messages myself, however they indicate sending dates when this was impossible.

Is there a possibility that the worm/virus is collecting my email address off the web and then impersonating my address?

Or should I worry about my virus software?

David

[Moderators note (by Chris): I have removed the email address listed for replies, this is a forum and as such all replies should be made to the group, for general interest and to help people who may suffer the same problems in the future.]
N/A

WARNING: New W32.Sobig worm varient

This virus uses some sneaky tactics.

When it forwards itself, it picks a random address it detected from an infected machine, and uses it as the from address.

This sounds like somebody that has sent you a mail, somebody you have sent a mail, or somebody that has received an e-mail that also includes your address, is infected.

When you see these error replies, it means your address was used as the from address.

Just to note, this is becoming worse than even I suspected.

News
Auto-responders magnify Sobig problem
Sobig-F is fastest growing virus ever - official

For proof of point this point, our work DSL connection is now solifly packed with this virus downloading.

From 3 on Turesday, 17 yesterday and now ~350 today (once I dequeue all the current mail, there will be another batch waiting for collection).

I am currently bringing online some scanning tools over the fastest connections I can find, just to save our own network from being swamped all day.

Luckily, no infection has taken place here, but the rest of the world is giving me a headache.
N/A

WARNING: New W32.Sobig worm varient

Informative reply to my query. Thanks. Good luck.

David
N/A

Sobig

Developments? At the moment every send and receive is wasting about 5 minutes on these electronic fleas. What prognosis?
Community Veteran
Posts: 6,983
Thanks: 8
Registered: 10-04-2007

WARNING: New W32.Sobig worm varient

I assume you mean that every time you do a receive all you are getting loads of virus filled mail.
if so a good way to avoid this is to have a look first using Web Mail so you can see what is waiting in in your in box and delete all the rubbish before you open your mail program.
Another good tool for this is Mail Washer a free program you can download and it checks your mail first giving you the option to delete what you know is not for you.
Community Veteran
Posts: 3,181
Thanks: 19
Fixes: 2
Registered: 31-07-2007

WARNING: New W32.Sobig worm varient

Still far to many PN users with this worm. I just checked my firewall logs for last 2 days and have 113 new users with it. Granted some are 56k[about 20] but still to many static IP users with it. So too many for me to mail myself cause of the mass mail limit [20 carbon copies limit on mailing if I remember right]

Time to name and shame people in to doing something?
Unvalued customer since 2001 funding cheap internet for others / DSL/Fibre house move 24 month regrade from 8th May 2017
Community Veteran
Posts: 6,983
Thanks: 8
Registered: 10-04-2007

WARNING: New W32.Sobig worm varient

If you do have a list of IP's then why not pass them on to Plusnet via link:Contact Us ? They may be able to make those who have the worm aware.
N/A

WARNING: New W32.Sobig worm varient

Are you taking about the correct virus here?

Sobig.F is e-mail propergated. It shouldn't show up on any firewall.
Community Veteran
Posts: 3,181
Thanks: 19
Fixes: 2
Registered: 31-07-2007

WARNING: New W32.Sobig worm varient

I have done but unless its a payment email I don't think many people take notice of PN contant emails, as some where on the first list I sent in 2 weeks ago.

ed:@ Acarr the port probes do
Unvalued customer since 2001 funding cheap internet for others / DSL/Fibre house move 24 month regrade from 8th May 2017