Brace yourselves.. W32/Sobig-F about to mutate...
A quick heads up, if anybody hasn't heard: At 1900GMT today, ET phones home, and picks up the next payload of instructions. Nobody knows (yet) what they'll be, but SoBig-E erased itself, put in a password grabber, and then installed a mail proxy for spammer use. This one *may* just play the theme song from Bozo the Clown and erase itself, but I severely doubt it's gonna be that nice. http://www.f-secure.com/news/items/news_2003082200.shtml
On Fri, 22 Aug 2003 Valdis.Kletnieks@vt.edu wrote:
A quick heads up, if anybody hasn't heard:
At 1900GMT today, ET phones home, and picks up the next payload of instructions. Nobody knows (yet) what they'll be, but SoBig-E erased itself, put in a password grabber, and then installed a mail proxy for spammer use.
"On this moment, the worm starts to connect to machines found from an encrypted list hidden in the virus body. The list contains the address of 20 computers located in USA, Canada and South Korea." erm so why dont we just block (preferably bgp null route) these sites?
| Stephen J. Wilcox | Sent: Friday, August 22, 2003 2:15 PM | To: Valdis.Kletnieks@vt.edu | Cc: nanog@merit.edu | Subject: Re: Brace yourselves.. W32/Sobig-F about to mutate... | | On Fri, 22 Aug 2003 Valdis.Kletnieks@vt.edu wrote: | | > A quick heads up, if anybody hasn't heard: | > | > At 1900GMT today, ET phones home, and picks up the next payload of | > instructions. Nobody knows (yet) what they'll be, but SoBig-E erased | itself, | > put in a password grabber, and then installed a mail proxy for spammer | use. | | "On this moment, the worm starts to connect to machines found from an | encrypted | list hidden in the virus body. The list contains the address of 20 | computers | located in USA, Canada and South Korea." | | erm so why dont we just block (preferably bgp null route) these sites? I believe that InterNAP has already implemented this in all of their PNAP's. Todd --
If we can post here as soon as these mystery machines and\or ports are known we can all throw up ACLs, but if the wormwriters learned from "How to Own the Internet in Your Spare Time", by the time we throw up ACLs, it's probably already too late. scott On Fri, 22 Aug 2003 Valdis.Kletnieks@vt.edu wrote: : A quick heads up, if anybody hasn't heard: : : At 1900GMT today, ET phones home, and picks up the next payload of : instructions. Nobody knows (yet) what they'll be, but SoBig-E erased itself, : put in a password grabber, and then installed a mail proxy for spammer use. : : This one *may* just play the theme song from Bozo the Clown and erase itself, : but I severely doubt it's gonna be that nice. : : http://www.f-secure.com/news/items/news_2003082200.shtml : :
Just started getting it here...it came from a local Comcast cable user, and so overwhelmed the mail server, that SpamAssassin and qmail-scanner stopped scanning it. I had to nullroute that IP to stop it... it looks like this: Return-Path: <admin@duma.gov.ru> Delivered-To: james@pil.net Received: (qmail 77869 invoked from network); 22 Aug 2003 17:39:16 -0000 Received: from unknown (HELO localhost) (68.32.237.213) by richard2.pil.net with SMTP; 22 Aug 2003 17:39:16 -0000 From: "Microsoft" <security@microsoft.com> To: <james@pil.net> Subject: Use this patch immediately ! MIME-Version: 1.0 Content-Type: multipart/mixed;boundary="xxxx" Parts/Attachments: 1 Shown 3 lines Text 2 9.6 KB Application 3 Shown 0 lines Text ---------------------------------------- Dear friend , use this Internet Explorer patch now! There are dangerous virus in the Internet now! More than 500.000 already infected! On Fri, 22 Aug 2003 Valdis.Kletnieks@vt.edu wrote:
A quick heads up, if anybody hasn't heard:
At 1900GMT today, ET phones home, and picks up the next payload of instructions. Nobody knows (yet) what they'll be, but SoBig-E erased itself, put in a password grabber, and then installed a mail proxy for spammer use.
This one *may* just play the theme song from Bozo the Clown and erase itself, but I severely doubt it's gonna be that nice.
James Smallacombe PlantageNet, Inc. CEO and Janitor up@3.am http://3.am =========================================================================
The security@microsoft.com address may fool them, but I would be very suspicious of a Microsoft patch that was only 9.6KB :)
Parts/Attachments: 1 Shown 3 lines Text 2 9.6 KB Application 3 Shown 0 lines Text ----------------------------------------
Adam Maloney Systems Administrator Sihope Communications
participants (6)
-
Adam Maloney -
Scott Weeks -
Stephen J. Wilcox -
Todd Mitchell - lists -
up@3.am -
Valdis.Kletnieks@vt.edu