Please clean your systems people!

[toadlife 3]

A new variant of the sobig email worm is out and about and LOTS of people are infected. I've gotten 20 of these sent to my toadlife@toadlife.net address in the last 12 hours. This tells me that lots of people in the OFP community are infected, because this is the address I use to corrospond all of my OFP cohorts.

Go here for info on this worm:

http://vil.nai.com/vil/content/v_100561.htm

Another suggestion I have for you virus carriers is to not use any Microsoft program (ie: the Outlook family) to read your mail. Download Mozilla, or Eudora, or SOMETHING/ANYTHING else to read your email.

Thank you.

[ralphwiggum 6]

Another suggestion I have for you virus carriers is to not use any Microsoft program (ie: the Outlook family) to read your mail. Download Mozilla, or Eudora, or SOMETHING/ANYTHING else to read your email.

Thanx for heads up info.

I personally do not use MS mail programs so don't worry about it, but hope there is help for those who get infected.

[Mister Frag 0]

Sobig also reads e-mail addresses off websites, and uses them to both forge the sender addresses, and to find new victims for itself. Basically, if you've ever given out your e-mail address somewhere on the Internet, you could conceivably get the worm this way.

One of my not-so-computer-literate friends e-mailed me earlier today about getting bounces back from various postmaster daemons for e-mails with large attachments and generic subject lines that she never sent. Her system turned out not to be infected, but the system of someone she knows probably is, and Sobig used my friend's e-mail address as the sender. That, or it got her address of the 'net, which is also quite possible.

[toadlife 3]

Yeah I've got a few returned mails with the virus attached too.

I've now recived 45 sobig emails since 6 AM this morning (15 hours). This one is by far the biggest mail virus ever.

[blackdog~ 0]

I haven't gotten it once

[toadlife 3]

I haven't gotten it once

Lucky you. Either your email address is in noone's address book, and is posted nowhere, or your provider scans incoming mail.

[Hudson 0]

Our mail server has been recieving over 800 of these sobig emails daily

[kegetys 2]

Just yesterday I received ~350 of those, and a few hundred the day before... Some times they are coming in at about 1 per minute, and they fill up my 10MB mailbox pretty fast if im not checking email all the time.

[benu 1]

Outlook Express is one of the first things i delete from the harddrive after installing windows

My new xp installation is the first i left the internet explorer on...

But i haven't got any of those new virus mails, although i'm kind of a spam whore (many dozens spams a day of which luckily several spamfilters take good care of) with using my real email adresses in usenet and stuff, i'm a bit surprised i do not get those virus mails...

[acidcrash 0]

I haven't gotten it once

ditto, i never seem to get mail virii.... and id just as soon keep it that way.

doesnt stop me getting hundreds of spam mail daily though

[Supah 0]

Yay the RPC bug and blaster virus hardly gone and the next one comes along

[Koolkid101 0]

Hmm I guess I'm not very popular.

[der bastler 0]

W32blaster? soBIG? What's up?

*petsfli4lrouter* (http://www.fli4l.de)

*petsgentoopenguin* (http://www.gentoo.org)

btw: OFP is the only reason why I'm still using Win98...

Hello BIS? OFP2 for Linux?

*givinbroadbroadhint*

*offeringhelp*

[Milkman 1]

Hah! Not only do I have no virus in my e-mails, I have no e-mails in the first place! I havn't recieved a single one in over a week! Not even spam.

[edc 0]

I use Outlook, and I've not gotten it. Though I do get a lot of spam, but I've customized Outlooks rules to automatically delete most of them.

[suchey 0]

I read that this is the quickest spreading virus of all time...the previous record was something like 250,000 in a 24 hour period. SoBig has marked over a million in the same time span. Not sure how accurate the info is, but its interesting anyway.

[Mister Frag 0]

MessageLabs says that one of every 17 e-mail messages that have been scanned by their systems was from Sobig! And half of the rest were probably offers for enhancing various body parts...

[Jester983 0]

I havent gotten this yet. (thank god) but my dad said at his work in the past 2 days hes gotten about 500 of these.

[blackdog~ 0]

I can't believe how gullible some people are when they open attachments on emails, I mean... the subjects give it away!

[Yoshiro 0]

I never get virus email cause I never give my email out. Not on any lists, and if I somehow get on one I have my mail removed imidiatly

[Warin 0]

I can't believe how gullible some people are when they open attachments on emails, I mean... the subjects give it away!

I know exactly what you mean. I dont open attachments, with two exceptions:

Picture files, and VASL turns.

Anything else with an attachment gets deleted immediately.

Heh. I havent been home in almost a week, so I am dreading checking my email when I do

[Hudson 0]

Quote[/b] ]Virus Update

On August 19, we alerted you to the Sobig.F worm that was filling its

victims Inbox with avalanches of junk mail. Since then, startling new facts

have emerged showing that Sobig is potentially far more destructive than

first imagined.

Today, anti-virus vendor F-Secure has alerted

<http://www.f-secure.com/news/items/news_2003082200.shtml>  the world to

hidden attack instructions lurking within Sobig.F's code. The worm's author

encrypted these attack instructions, which F-secure successfully decrypted

just last night. We now understand more of Sobig.F's attack sequence, and

it's like something straight out of a sci-fi thriller novel.

Sobig.F contains a list of 20 IP addresses which belong to different

personal computers around the world, all apparently having broadband

connections. Sobig.F infected machines have silently synchronized their

clocks with the atomic clock (also known as the Universal Time Clock, or

UTC). In a massive synchronized attack scheduled for today at 19:00:00 UTC

(12:00 PST), the hundreds of thousands of Sobig.F infected machines around

the world will authenticate to the 20 IP addresses hidden in the worm's

code, download, and execute an unknown mystery program.

Given that Sobig's author has carefully issued, improved, and re-issued the

worm six times since January, we take that to mean the mystery program will

be more deadly than typical script-kiddie fare. However, note that that is

our speculation; it is possible that the code could turn out to be a mild

prank that simply displays some ego-driven, hacker message on an infected

machine's screen. However, when it comes to your network, we figure "better

safe than sorry," so we're treating the attack seriously.

Anti-virus researchers cannot learn what the malicious code will do because

it has not been placed on the 20 servers yet for download. They assume the

author will upload the code seconds before the massive attack is scheduled

to start.

As we wrote this, Reuters reported that law enforcement authorities have

shut down 12 of the 20 IP address from which Sobig.F will download its

attack. However, because the 20 addresses are scattered around the world,

it's unlikely that all will be caught before this attack takes place. Some

version of Sobig.F's mystery attack will occur.

What Your WatchGuard Firewall Can Do

If you haven't already done so, we highly recommend you update all your

computer's anti-virus signatures. If you have any Sobig.F infected machines,

take them offline immediately and clean before putting them back online.

Firebox owners should continue blocking .SCR and .PIF files using their SMTP

proxy. Click here <http://www.watchguard.com/help/lss/60/User/proxies5.htm>

for more details on blocking attachments with your SMTP proxy.

Sobig.F uses port UDP/8998 to access the 20 IP addresses. It also causes

infected machines to listen on ports 995 through 999. Firebox users can

create a custom service to block these ports (incoming and outgoing) so that

if there are any infected machines on your network, they cannot access the

"mystery code." How to create a custom service:

* For  <http://www.watchguard.com/help/lss/60/User/servic13.htm>

Firebox

* For

<http://www.watchguard.com/help/SmallOffice/6.2/Configure_Firewall/soho65fir

e.htm> SOHO

References:

* F-Secure's

<http://www.f-secure.com/news/items/news_2003082200.shtml> Urgent Sobig.F

Update

* WatchGuard's

<https://www.watchguard.com/archive/showhtml.asp?pack=5303> Sobig.F Alert

* Mcafee's

<http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100561>

Sobig.F Alert

* Symantec's

<http://www.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html> Sobig.F

Alert

* Reuters

<http://story.news.yahoo.com/news?tmpl=story&ncid=1211&e=1&u=/nm/20030822/tc

_nm/tech_internet_virus_dc&sid=95573372> coverage, posted on Yahoo

* The  <http://www.theregister.co.uk/content/56/32475.html> Register

coverage, mentioning secondary attack this Sunday

Credits: Researched and written by Corey Nachreiner

   

Email feedback to lsseditor@watchguard.com <mailto:lsseditor@watchguard.com>

.

For other helpful articles, log into the LiveSecurity

<https://www3.watchguard.com/archive/broadcasts.asp> Archive.

   

NOTE:

This e-mail was sent from an unattended mailbox. Please do not reply.

ABOUT Questiva/TailoredMail:

WatchGuard has contracted with Questiva/TailoredMail, an industry leading

vendor of trusted email services, to send these emails and maintain a record

of your preferences confidentially. Personal information about you is not

sold or rented to Questiva/TailoredMail or to other companies. Both

WatchGuard and Questiva/TailoredMail are fully committed to your privacy, as

detailed in WatchGuard's  <http://www.watchguard.com/about/privacy.asp>

privacy policy.

TO UNSUBSCRIBE:

You received this e-mail because you subscribed to the WatchGuard

LiveSecurity Service, which advises about virus alerts, security best

practices, new hacking exploits, and more. If you no longer wish to be

advised of these things, please let us know:

<https://www.watchguard.com/archive/preferences.asp> Unsubscribe.

Copyright 2003 WatchGuard Technologies, Incorporated. All Rights Reserved.

WatchGuard, LiveSecurity, Firebox and ServerLock are registered trademarks

or trademarks of WatchGuard Technologies, Inc. in the United States and/or

other countries. All other trademarks are the property of their respective

owners. You may not modify, reproduce, republish, post, transmit, or

distribute this content except as expressly permitted in writing by

WatchGuard Technologies, Inc.

 <http://tailoredmail.com/images/space.gif>

<http://tailoredmail.com/images/space.gif>

 <http://tailoredmail.com/images/space.gif>

 <http://tailoredmail.com/images/space.gif> Copyright © 1996 - 2003

WatchGuard Technologies, Inc.

All rights reserved.    |     <http://www.watchguard.com/legal.asp> Terms of

Use

 <http://tailoredmail.com/images/space.gif>

<http://tailoredmail.com/images/space.gif>