Date: 20 August 2003
References: ESB-2004.0074
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
A U S C E R T A L E R T
AL-2003.14 -- AUSCERT ALERT
Mass-mailing virus/worm W32/Sobig.F-mm
20 August 2003
===========================================================================
There is a new variant of the mass-mailing W32/Sobig virus known
as W32/Sobig.F-mm. Sobig.F-mm possesses a mass-mailing capability,
attaching itself to messages, and has the ability to propagate via
network shares similar to Sobig.E reported in AusCERT update
AU-2003.007:
https://www.auscert.org.au/render.html?it=3204
International reports indicate that Sobig is propagating rapidly.
Email infected with Sobig.F will have a spoofed "from:" address,
making this identification of the message origin unreliable.
Sobig.F messages may have one of the following subjects:
Re: Thank you!
Thank you!
Your details
Re: Details
Re: Re: My details
Re: Approved
Re: Your application
Re: Wicked screensaver
Re: That movie
Sobig.F attachments have a random name, chosen from this list:
your_document.pif
document_all.pif
thank_you.pif
your_details.pif
details.pif
document_9446.pif
application.pif
wicked_scr.scr
movie0045.pif
The message may have one of these lines as its content:
Please see the attached file for details.
See the attached file for details
This variant of Sobig is coded to stop replicating as of 10th
September 2003.
Information
-----------
http://www.f-secure.com/v-descs/sobig_f.shtml
http://vil.nai.com/vil/content/v_100561.htm#VirusInfo
http://www3.ca.com/solutions/collateral.asp?CT=27081&CID=49259
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100561
http://securityresponse1.symantec.com/sarc/sarc.nsf/html/w32.sobig.f@mm.html
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOBIG.F
http://www.sophos.com/virusinfo/analyses/w32sobigf.html
http://www.messagelabs.com/viruseye/info/default.asp?tabIt=rep&virusname=W32/Sobig.F-mm
Solution
--------
When possible, upgrade all anti-virus software to use the latest
definition files as soon as they become available.
Ensure that all network file shares are disabled unless necessary
and if possible ensure that active shares are password protected.
AusCERT advises members to disseminate and take action on this
information to prevent any undesirable activity by this virus
within their sites.
AusCERT has produced an article "Protecting your computer from malicious code",
available at http://www.auscert.org.au/3352
- ---------------------------------------------------------------------------
The AusCERT team has made every effort to ensure that the information
contained in this security bulletin is accurate at the time of publication.
However, the decision to follow or act on information or advice contained in
this security bulletin is the responsibility of each user or organisation, and
should be considered in accordance with your organisation\'s site policies and
procedures. AusCERT takes no responsibility for consequences which may arise
from following or acting on information or advice contained in this security
bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
AusCERT maintains a World Wide Web service which is found on:
http://www.auscert.org.au.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call after hours
for member emergencies only.
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
AUSTRALIA
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBP0Ka7Sh9+71yA2DNAQGP3QQAjRaeyKsRIeFWagltR+099w5SwhTLsSmP
Fg+Bg8sXGP2IelVbSvHK1zGwVjDpNQcvVAk7wGDK0eyyTItZ3s6Db7mi4Ad4XgKi
YRE+ccZbe34E8hxDH6Gem11NqiVMVcfo2gvQZUHNBWM8LJbcdXEknWSSZTqf6+du
r32S3U9rzAg=
=JH9q
-----END PGP SIGNATURE-----
|