[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: W32.Sobig.E at mm
If they do this, please don't include an autoresponder.
Too many mail lists have anti-virus filters configured with an
autoresponder that sends a notice to the alleged originator. This is worse
than useless with modern viruses that spoof From fields.
Chip
At 10:08 AM 7/7/2003, Mark Tinka wrote:
>I suppose we can.
>
>My anti-virus filters the messages and only sends me a notification of the
>same. I beleive it would be a good idea for the operator of the mailing
>list - uol.co.ug - to check incoming and outgoing e-mail for viruses.
>
>This way, if there's a virus, all we get from the afnog.org MX is a
>notification that "this e-mail was infected with this virus e.t.c et.c,
>and not the actual infected e-mail itself.
>
>Regards,
>
>Mark Tinka - CCNA
>Network Engineer, Africa Online Uganda
>-----Original Message-----
>From: owner-afnog at afnog.org [mailto:owner-afnog at afnog.org] On Behalf Of
>Ndungu Kahindo
>Sent: Monday, July 07, 2003 9:22 AM
>To: afnog at afnog.org
>Subject: W32.Sobig.E at mm
>
>I noticed that an email sent to this list had this virus. The attachment
>was Your_details.zip. Below are the details from the Symantec site. Is
>there any way we can have these emails checked for viruses before they are
>sent to this list. I have also noticed some unsolicited mails of late.
>
>Kahindo
>
>
>
>Due to an increased rate of submissions, Symantec Security Response has
>upgraded this threat to a Category 3 from a Category 2.
>
>W32.Sobig.E at mm is a mass-mailing, network-aware worm that sends itself to
>all the email addresses that it finds in the files with the following
>extensions:
> * .wab
> * .dbx
> * .htm
> * .html
> * .eml
> * .txt
>
>
>The email falsely purports that Yahoo sent it (support at yahoo.com).
>
>Email Routine Details
>The email message has the following characteristics:
>
>From: support at yahoo.com (NOTE: W32.Sobig.E at mm spoofs this field. It could
>be any address.)
>
>Subject: The subject line will be one of the following:
> * Re: Application
> * Re: Movie
> * Re: Movies
> * Re: Submitted
> * Re: ScRe:ensaver
> * Re: Documents
> * Re: Re: Application ref 003644
> * Re: Re: Document
> * Your application
> * Application.pif
> * Applications.pif
> * movie.pif
> * Screensaver.scr
> * submited.pif
> * new document.pif
> * Re: document.pif
> * 004448554.pif
> * Referer.pif
>
>
>Attachment: The attachment name will be one of the following:
> * Your_details.zip (contains Details.pif)
> * Application.zip (contains Application.pif)
> * Document.zip (contains Document.pif)
> * Screensaver.zip (contains Sky.world.scr)
> * Movie.zip (contains Movie.pif)
>
>
>NOTE: The worm de-activates on July 14, 2003, and therefore, the last day
>on which the worm will spread is July 13, 2003.
>
>Symantec Security Response has created a
><http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.e at mm.removal.tool.html>tool
>to remove W32.Sobig.E at mm.
>
><http://securityresponse.symantec.com/avcenter/refa.html#aka>Also Known
>As: Win32.Sobig.E [CA], W32/Sobig-E [Sophos], W32/Sobig.e at MM [McAfee],
>WORM_SOBIG.E [Trend], I-Worm.Sobig.e [KAV]
>Type: <http://securityresponse.symantec.com/avcenter/refa.html#worm>Worm
><http://securityresponse.symantec.com/avcenter/refa.html#length>Infection
>Length: 82,195 bytes (zip file), 86,528 bytes (executable)
><http://securityresponse.symantec.com/avcenter/refa.html#systemsaffected>Systems
>Affected: Windows 95, Windows 98, Windows NT, Windows 2000, Windows XP,
>Windows Me
><http://securityresponse.symantec.com/avcenter/refa.html#systemsnotaffected>Systems
>Not Affected: Macintosh, OS/2, UNIX, Linux
-----
This is the afnog mailing list, managed by Majordomo 1.94.5
To send a message to this list, e-mail afnog at afnog.org
To send a request to majordomo, e-mail majordomo at afnog.org and put
your request in the body of the message (i.e use "help" for help)
This list is maintained by owner-afnog at afnog.org