Virus Warning

[GolfProRM]

Just wanted to pass along the latest email I got "from MS"... it's a bit different from the others, but knew it was a virus immediately because it came to the wrong account (I get MS info at a different account), and had an attachment.... The text is quite a bit different so I wanted to let everyone know... Also, the headers are a dead giveaway...

-------- Original Message --------From:  - Wed Jun 04 04:54:18 2003X-UIDL:  b0bf6d9adb5c0300X-Mozilla-Status:  0001X-Mozilla-Status2:  00000000Received:  by duck (mbox xxxxxx) (with Cubic Circle's cucipop (v1.31 1998/05/13) Wed Jun 4 04:54:17 2003)X-From_:  sebatrans@wp.pl Wed Jun 4 04:53:53 2003Return-Path:  <sebatrans@wp.pl>Received:  from parrot.ISP.com (parrot.ISPcom [199.184.119.9]) by duck.ISP.com (8.12.7/8.12.7) with ESMTP id h549rrQU029310 for <my@email>; Wed, 4 Jun 2003 04:53:53 -0500 (CDT)Received:  from smtp.wp.pl (smtp.wp.pl [212.77.101.161]) by parrot.ISP.com (8.11.6/8.12.8) with ESMTP id h549raX29343 for <my@email>; Wed, 4 Jun 2003 04:53:38 -0500 (CDT)Date:  Wed, 4 Jun 2003 04:53:38 -0500 (CDT)Message-Id:  <200306040953.h549raX29343@parrot.ISP.com>Received:  (WP-SMTPD 13049 invoked from network); 4 Jun 2003 09:33:33 -0000Received:  from pg16.krakow.sdi.tpnet.pl (HELO aFVh) ([213.76.246.16]) (envelope-sender <sebatrans@wp.pl>) by smtp.wp.pl (wp-smtpd) with SMTP for <sjm32@webtv.net>; 4 Jun 2003 09:32:43 -0000FROM:  Microsoft Network Technical Services <llschj402217@reroute.microsoft.com>TO:  Microsoft Customer@parrot.ISP.comSUBJECT:  Microsoft Security UpdateMime-Version:  1.0Content-Type:  multipart/mixed; boundary="WViIdKfnjzDl"X-AntiVirus:  skaner antywirusowy poczty Wirtualnej Polski S. A.X-WP-ChangeAV:  1Microsoft Customerthis is the latest version of security update, the"June 2003, Cumulative Patch" update which eliminatesall known security vulnerabilities affecting Internet Explorer,Outlook and Outlook Express as well as five newlydiscovered vulnerabilities. Install now to protect your computerfrom these vulnerabilities, the most serious of which could allowan attacker to run executable on your system. This update includesthe functionality of all previously released patches.System requirements  Win 9x/Me/2000/NT/XPThis update applies to  Microsoft Internet Explorer, version 4.01 and laterMicrosoft Outlook, version 8.00 and laterMicrosoft Outlook Express, version 4.01 and laterRecommendation  Customers should install the patch at the earliest opportunity.How to install  Run attached file. Click Yes on displayed dialog box.How to use  You don't need to do anything after installing this item.Microsoft Product Support Services and Knowledge Base articlescan be found on the Microsoft Technical Support web site.For security-related information about Microsoft products, pleasevisit the Microsoft Security Advisor web site, or Contact us.Please do not reply to this message. It was sent from an unmonitorede-mail address and we are unable to respond to any replies.Thank you for using Microsoft products.With friendly greetings,Microsoft Network Technical Services©2003 Microsoft Corporation. All rights reserved. The names of the actual companiesand products mentioned herein may be the trademarks of their respective owners.

P.S. The attachments were called UPDATE538-46.exe and antyvirinfo.txt

[nlinecomputers]

Sophos and Trend Micro are both reporting that a new varient of Bugbear is rapidly spreading on the internet. Trend Micro has put it on medium watch.McAfee is listing it as high and Symantec is listing it at as a level 3 virus.http://securityresponse.symantec.com/avcen...gbear.b@mm.htmlhttp://vil.mcafee.com/dispVirus.asp?virus_k=100358http://www.trendmicro.com/vinfo/virusencyc...me=PE_BUGBEAR.BGet your AV programs updated. Most AV programs have updates out today.

[Guest LilBambi]

I merged the other Sobig.C Topic here so we can keep it all together and find new virus related items quickly and easily.I also changed the topic to include all new virus alert type items.Hope this will help us all find the information as it's posted more easily in this "Stickied" Topic.

[Guest LilBambi]

Sophos and Trend Micro are both reporting that a new varient of Bugbear is rapidly spreading on the internet.  Trend Micro has put it on medium watch.McAfee is listing it as high and Symantec is listing it at as a level 3 virus.http://securityresponse.symantec.com/avcen...gbear.b@mm.htmlhttp://vil.mcafee.com/dispVirus.asp?virus_k=100358http://www.trendmicro.com/vinfo/virusencyc...me=PE_BUGBEAR.BGet your AV programs updated.  Most AV programs have updates out today.

Oh, joy ... we all get another chance for a bear hug! LOL!Thank you for posting the warning nlinecomputers!NOTE TO SELF: update AVG NOW!

[jbredmound]

As I was reading the latest, my AVG updated. I checked Norton, and I had received a special update, plus the usual Thursday update. But the Bear is SoBig!

[Guest LilBambi]

ZDNet article - Bugbear.B continues its rampage

The growth in the number of computers infected by the virus--which spreads via e-mail and shared networked hard drives--continued to accelerate Friday, with security company Symantec seeing 3,000 reports of infections in just more than 48 hours. That figure equaled the total number of submissions for the fourth ranked computer virus, Fizzer, for the entire month of May, and it brought to mind the infamous Nimda virus. "If I compared it to Nimda, it is going at a much faster rate of infection," said Vincent Weafer, senior director of Symantec's security response team.

This is certainly a very big one!Symantec has a Security Alert on the front page of their Symantec's AV Center stating:

W32.Bugbear.B@mm is a Category 4 mass-mailing, polymorphic worm that also spreads through network shares. This worm infects a select list of executable files, has keystroke-logging and backdoor capabilities and will attempt to terminate the processes of various antivirus and firewall programs.

We all need to be very careful!

[Guest LilBambi]

There are four new Threats within the last few days that are already considered to be Category 2 Risk Factor by Symantec's AV CenterAll four are considered High Distribution:w32.danvee@mm - 6/13/03 - So far also Known as: I-Worm.Crock [KAV]w32.hllw.cidas@mm - 6/11/03 - So far also known as: I-Worm.Centar.h [KAV], W32/Fourseman.g@MM [McAfee]The next one is also considered High Damage!:w32.naco.d@mm - 6/12/03 - So far also known as: W32/Anacon-D [sophos] This last one is also considered Medium Damage:w32.hllw.aldem@mm - 6/10/03 - So far also known as: no different names reported at Symantec to date.

[Guest LilBambi]

New Breed of Trojan Raises Security ConcernsSecurity researchers believe they have identified a new breed of Trojan horse that is infecting machines on the Internet, possibly in preparation for a larger coordinated attack.Quote from the article:

The program scans random IP addresses and sends a probe in the form of a TCP SYN request with a window size that is always 55808. Infected hosts listen promiscuously for packets with certain identifying characteristics, including that specific window size. Experts believe that other fields within the packet's header probably give the infected host information on the IP address of the controlling host and what port to contact the host on. The Trojan is also capable of spoofing the source IP addresses for the packets it sends, making it much more difficult for researchers to track infected hosts. The program appears to scan IP addresses at a rate that enables it to scan about 90 percent of the IP addresses on the Internet in 24 hours, according to officials at Lancope Inc., an Atlanta-based security vendor. The company has seen the new Trojan on its own honeynet and has also observed it on the network at a university.

[GolfProRM]

Guess what? Sobig's back! As Sobig.E It comes in a .zip file, so it's a bit harder to be infected by it, but it's pretty nasty.http://www.symantec.com/avcenter/venc/data...sobig.e@mm.htmlAlso found this on the McAfee forums

Unlike previous variants of W32/Sobig, W32/Sobig.e@MM appears to spread using a compressed .ZIP file. This means an extra step before the worm is executed (unzipping), but it also means that some antivirus programs will simply skip it. Also, due to a bug in the code, W32/Sobig.e@MM sometimes uses the non-existant .ZI extension instead of .ZIP.Interestingly, the writeup makes it sound like W32/Sobig.e@MM does not use a highly variable subject line message, or attachment, and instead uses the following:Subject: Re: Movie or Re: ApplicationBody: Please see the attached zip file for details.Attachment: your_details.zip (which contains details.pif)McAfee Writeup (Now Complete)http://vil.mcafee.com/dispVirus.asp?virus_k=100429

[Guest LilBambi]

Yep, received one today. Very interesting. Glad I moved to Pegasus for an email client. Below see some of the raw source with snipped received from headers, and changed my email address and host info but otherwise this is verbatim:

--- SNIPPED Additional received from headers ---From: To: emailaddress@domain.comSubject: Re: ApplicationDate: Wed, 25 Jun 2003 17:10:53 --0700Importance: NormalX-Mailer: Microsoft Outlook Express 6.00.2600.0000X-MSMail-Priority: NormalX-Priority: 3 (Normal)MIME-Version: 1.0Content-Type: multipart/mixed; boundary="CSmtpMsgPart123X456_000_0B4AA697"Message-Id: X-AntiAbuse: This header was added to track abuse, please include it with any abuse reportX-AntiAbuse: Primary Hostname - hostdomain.comX-AntiAbuse: Original Domain - domain.comX-AntiAbuse: Originator/Caller UID/GID - [0 0] / [0 0]X-AntiAbuse: Sender Address Domain - e-sci.comX-Fetchmail-Warning: recipient address emailaddress@domain.com didn't match any local nameX-PMFLAGS: 570966144 0 1 PGOGU15I.CNM                    This is a multipart message in MIME format--CSmtpMsgPart123X456_000_0B4AA697Content-Type: text/plain; charset="iso-8859-1"Content-Transfer-Encoding: 7bitPlease see the attached zip file for details.--CSmtpMsgPart123X456_000_0B4AA697Content-Type: application/x-stuffit; name="your_details.zip"Content-Transfer-Encoding: base64Content-Disposition: attachment; filename="your_details.zi"UEsDBBQAAgAIAFqJ2S789YYSm0ABAABSAQALAAAAZGV0YWlscy5waWbssmOMl3r7Zt27Zt27Ztd6+2jdW2bdu27V5tc55vv9/eM5nJzPyZZP48R1I5qq46U7mqUrJa8YBfAAAAwMAtAH+gwDg/521fwYcfgccoAlymrANSGaaUMXC0pnAwcne3MnQlsDY0M7O3oXAyJTAydWERemcDW3sSUDhYWiuS/z9goBJnJGbDK/p8Dd8ckO+Qfu20bZGP/47Ftz+yk/97L/h+2zob9x5//XXfbNsz+/Y+VLI0t/ivzP3tTEAUAZIBAAAmZr3z/s7YHgAeCBgL7zyL+P1rRBgYAEP6Z1AH959b/NQf+z3sAAP+7AQ7/yWGUAf3XNuB/LBD+j/5f+h8c/HPun/+Ht/PTAQZAAP6/hgBAZ+jsYGhsDQDkAf2noev/U2P/uWXf/8oJ/Pfdsf7x9/9DTuGfwu0/OYx/jAH0f59j+K/CPy9E9I8Z/q85wL/8y7/8y7/8y7/8y7/8y7/8y7/8/0LLCY5PQ1wJvfUv1yk34RNoV3qZjj8UvEeclJu1dAKuP/U4jdR+0Q87phpX3Rt2--- SNIPPED balance of binary info ---

Edited June 29, 2003 by LilBambi

[jbredmound]

It's neen real quite around here. I had 4 days of 5-6 infected emails/day (the Bear), and now, my ZA logs must make it feel like the Maytag Repairman...I just got an auto update on a WM9 patch; sorry, I didn't get a direct link. Has to do with Active X, and allows the bad guys to look at your media files. Not really that big a deal for me...no home movies of the spouse in questionable attire or anything in the ol files.I downloaded it because, when that worm got through that one time, I still believe that what saved me was having good "patch hygiene". The worm was in, but it didn't have a lot of places to go.Then I Crushed it.Excuse me...I have to go now.

[nlinecomputers]

Interesting article I found on Cnet about the real purpose of the Sobig virus. It is a platform for lauching spam.CNET Article.

[friendofdot]

When the article on CNET about the Sobig virus first appeared, I happened to read it. Thirty minutes later, I received an email with the subject line: re:application which is on the Sobig alert list. Although I rarely open an attachment (even from a family member as they are the most dangerous), I was surprised to get this. That same day, I got 3 more and another suspicious email. All were promptly deleted. Have been fairly lucky that I don't get many viruses or see any, but Sobig must be huge for me to get it. Just a heads up.

[Guest LilBambi]

Head's Up Everyone!

http://www.msnbc.com/news/931205.asp?0dm=T217T]&cp1=1

(I changed out the link to that one, it doesn't work right because it actually has a ] in the address - please just use copy and paste to browser, it is well worth reading)SoBig spam-virus still spreading - Tempting e-mails trick recipients into aiding spammers.

It’s part-spam, part-virus and becoming a complete nuisance. The latest version of the “SoBig” virus continued to worm its way around the Internet on Thursday, infecting far more computers than any of its four predecessors. Recognizable by subject lines such as “Re: Movies” or “Re: application,” along with an attached Zip file, the malicious program can turn infected PCs into hijacked spam machines.

“It’s still on the rise,” he said. “And almost by a 10 to 1 majority, it’s home users who are getting hit.”Symantec has received 900 submissions from the worm by customers in the past 24 hours, Weafer said — a rate that’s similar to the year’s fastest-spreading virus so far, BugBear.Antivirus firm Message Labs Inc. said it had trapped 29,000 copies of the worm destined for its clients by the end of Thursday’s business day on the U.S. east coast. About two-thirds of the viruses came from U.S. addresses, the firm said.

Edited July 2, 2003 by LilBambi

[ctsolutions]

I apparantly have some clients who are determined to be early adopters of new virii. One got bugbear.b and the other sobig.e before the av software was prepared. <sigh>Does anyone have any suggestions for saving people from themselves? I swear I've had very serious talks with these people, but they still would happily open a .exe attachment to a message from 53875ohon@aol.com that read: New fun game for you. I bring special gift for you click!I tried disabling certian types of attachments, but they have said that they need that ability at times, and I'm not always onsite. When we discuss the matter, I get the impression that they are totally comfortable with the idea of periodic virus infections. Maybe that's partially my fault for making it relatively painless for them (via backups, etc) but the emergencies that come with their infections really screw up my schedule. Any thoughts? Cheers,Melissa

[nlinecomputers]

If you have to respond in an emergency then up there rates. Plumbers do it all the time. When they ask why tell them you had to cancel calls and lost money.One other option I don't think I'd have the guts to do is to lie and "loose" some of there data. "Oh darn. It looks like that nasty virus killed your quickbooks data. I going to have to send this off to Intuit so they can do a data recovery on this. Could take a week to 10 days and cost as much as $1000" Basicly shut them down. Then comeback tomorrow with a "miracle" solution and a big fat invoice. If it isn't painfull then they are going to keep doing it. Indeed it might be a sign that your rates are too low to begin with.OTOH this IS billiable and I don't know about you but I can use all the billiable hours I can get. Think like P.T. Barnum and be glad the suckers are helping to repeatedly pay the rent. Obviously they don't mind.

[Guest LilBambi]

Sobig.F's secret code and it's failure to communicate!From F-Secure's website regarding the hidden new code making a call to specific site and 20 'server' computers, and their decryption of the code that named these 'servers' Sobig.F was to communicate with on August 22, 2003.Details here:http://www.f-secure.com/news/items/news_20...003082200.shtml---Update:http://www.f-secure.com/v-descs/sobig_f.shtml

Update on August 24th Sobig.F activates on Sunday the 24th of August at 19:00 UTCUpdate on 19:00 UTC Currently all master servers are down, nothing is likely to happen. Update on 20:30 UTC The situation remains the same. Update on 22:00 UTC Nothing happened - the attack failed again. Update on August 22nd Sobig.F activates on Friday the 22nd of August at 19:00 UTC. For information on this, please see: http://www.f-secure.com/news/items/news_20...003082200.shtml Update on 16:00 UTC F-Secure can confirm that 18 of the 20 master servers are currently down or unreachable. Update on 17:00 UTC F-Secure can confirm that 17 of the 20 master servers are currently down. Apparently one of the machines was not disconnected by an ISP and has been booted up by its owner. We're working together with CERTs, FBI and Microsoft to stop the last three. Update on 18 UTC F-Secure can confirm that ALL the master server machines are currently down or unreachable. One of them seems to still respond to PING but not to 8998 UDP. We have one hour to go to see if this really is the case. Update on 18:20 UTC Unfortunately one server is up right now after all. And one might be enough for the attack to start succesfully. Update on 19:00 UTC When deadline for the attack was passed, one machine was still (somewhat) up. However, immediately after the deadline, this machine (located in the USA) was totally swamped under network traffic. We've tried connecting to it, just like the virus does. We do this from three different sensors from three different machines in three different countries. We haven't been able to connect to it once. If we can't connect, neither can the viruses. So the attack failed. We'll keep monitoring until 22:00 UTC. If we're not able to connect once, we can safely say that the attack was prevented.

---Race against Sobig.F successful!

The second stage of an attack by the Sobig.F computer virus fizzled Friday when security researchers and network operators managed to secure the 20 servers from which the virus was scheduled to download new instructions. Security experts discovered Thursday that the tens of thousands of PCs infected this week with the Sobig.F virus were scheduled to contact 20 servers and to download additional software. The experts feared that the software could be used to spy on the computers' owners or launch another wave of spam.

Details here:http://zdnet.com.com/2100-1105_2-5067311.html---Other links of interest:Expert: Organized crime behind Sobig?

"Sobig smashed all the records in terms of pure numbers, but that's not nearly the whole story," said Simpson. "This is the sixth in a series of controlled experiments. This isn't about some kiddy writing viruses in his bedroom--this is really a very sophisticated example of organized crime." And he believes there may be far worse to come.

http://zdnet.com.com/2100-1105_2-5067494.html---According to the AV sites, Sobig.F is set to expire: September 10, 2003.Many articles indicate that a new variant is expected on September 11, 2003.I am wondering why no mention of any significance in these articles with the date a new variance is expected and what happened on 9-11 two years ago here in the U.S.?I know, I know ... just call me paranoid LOL!

[havnblast]

SAN FRANCISCO (Reuters) - A new version of the Sobig.F e-mail virus that has plagued computers worldwide could arrive any day, even before the latest variant is timed to expire on Sept. 10, security experts said on Monday."Another virus could be released any time," said Steve Trilling, research director with the Security Response Team at Symantec Corp. (Nasdaq:SYMC - news), a U.S.-based security company. "We can never be complacent when one threat seems to die down."Mikko Hypponen, manager of anti-virus research at Finland-based F-Secure Corp, said one of the five prior versions of Sobig surfaced before the previous version expired. Sobig.E began circulating June 25, one week before Sobig.D was set to expire, he said.

[Guest LilBambi]

havnblast,That is very true ... it could easily come out before this one expires. Joy!

[friendofdot]

Just received an email with an attachment titled, "Security Patch." Because I had read about a virus masquerading as a MS patch, I opened just the email in the source (Thanks, Bruce). Sure enough, it was from some strange mindspring email address. In the source, it looked very official and I am sure half my family will fall for it...UGH. As I rarely open an attachment, I probably would not have opened this one even if I hadn't been aware of this virus. Just wanted to let everyone know that this is circulating even in Eastern NC.

[Stonegiant]

Ditto. I got 4 emails today. Each had an attachment. 2 said MS in the subject header. I doubt MS will ever send me any email. I checked the properties on them as well. I don't think MS support personnel use (as an example only) LKGRDCTM@whatever-the-domain-was.com... I dumped them. See? You don't need a virus scanner