SoBig.F. Please read.

Skraggy_uk · 08-21-2003, 05:47 PM

Who's been hammered by this today?
In the last 24hrs I've recieved over 130 mails infected by it, plus 26 bounces containing faked address's supposedly from me (my system and the server, and every other PC on my homenetwork is clean, Natted, and firewalled.

Most the messages have incomplete headers.
but a 5 of the bounces that included the full headers included the server name MARGI, and an AT&T owned IP address.

Address is 12.207.156.209

Looks to be part of a Dialup/Dynamic connection pool.

Any one recognise that IP, if you do, check your system very carefully.
I'm not pointing and blaming, just trying to help you sort things out, if it is you.

gizmomkr · 08-21-2003, 06:40 PM

Well you know its the fastest spreading computer virus to date.

You just might get a couple of copies of it. Are you saying someone that reads this board has it - I wouldnt doubt it; Whats your point ?

Yes its a huge pain in the *** to hit delete. Sys admins across the nation have people screaming down there throats - and they have hundreds of client machienes to clean, in addition to a way over worked server trying to cope with all the traffic.

Just be glad the worm doesnt attack your file system and delete data.

Blop · 08-21-2003, 07:16 PM

Quote: Originally Posted by gizmomkr

Well you know its the fastest spreading computer virus to date.

You just might get a couple of copies of it. Are you saying someone that reads this board has it - I wouldnt doubt it; Whats your point ?

Yes its a huge pain in the *** to hit delete. Sys admins across the nation have people screaming down there throats - and they have hundreds of client machienes to clean, in addition to a way over worked server trying to cope with all the traffic.

Just be glad the worm doesnt attack your file system and delete data.

Compare this to a network of 5000 machines being off line for 3 hours today and then consider yourself lucky......

Sobig.F and something else....Nachi bought are network to its knees

Skraggy_uk · 08-22-2003, 02:24 AM

I know it isn't a problem to hit delete. But if someone has it, and doesn't know, (and it uses it's own SMTP engine so why would you other than the internet gets a bit slow if you are using it while it bulk mails silentley) wouldn't they want someone to tell them and fix it?

Blop · 08-22-2003, 04:18 AM

The University network is sooooo pooooo if you sneeze it will fall.

Skraggy_uk · 08-22-2003, 06:38 AM

Quote: Originally Posted by gizmomkr

Well you know its the fastest spreading computer virus to date.

You just might get a couple of copies of it. Are you saying someone that reads this board has it - I wouldnt doubt it; Whats your point ?

Yes its a huge pain in the *** to hit delete. Sys admins across the nation have people screaming down there throats - and they have hundreds of client machienes to clean, in addition to a way over worked server trying to cope with all the traffic.

Just be glad the worm doesnt attack your file system and delete data.

Thing is, I'm not infected.
But for my poor old Pentium pro mail and web server and NAT router, even the few hundred it has handled in the last couple of hours is tough for it.

It's all incoming, and bounce messages.
I must have had 10 from each address now, and just like mine in the bounces, they are probably fake (the real sender that is).

hijinks21 · 08-22-2003, 06:45 AM

i keep graphs of cpu performance of our mailserver and when sobig hit there was a 700% jump in CPU usage. this is for a small company of 10 people mind you. I'd hate to be an admin of a big network.

mp3z24 · 08-22-2003, 09:04 AM

perhaps this is the reason i cant get onto hotmail today....
keeps claiming "Server too busy"

~mike

chut · 08-22-2003, 09:31 AM

We got pummeled by the spam that contains the "sobig" virus. It slowed down our mail server somewhat. I'm glad to say that out of 250 clients we only got three infected. I yell at our end users alot and sometimes they listen. This time they did. Interesting enough, the three that got infected were our gen mgr, a department supe and my desktop machine. I know I didn't click on the attachment so they must have infected by just opening the email.

Take Care

hijinks21 · 08-22-2003, 10:54 AM

chut yes.. thats why you never use Outlook

chut · 08-22-2003, 11:59 AM

Actually, that's all we use. And getting people off of Express was a real pain in the ***.

Quote: Originally Posted by hijinks21

chut yes.. thats why you never use Outlook

wizardPC · 08-22-2003, 12:07 PM

okay, the way the SoBig-F variant works is this:

1. User opens attachment
2. SoBig accesses address book
3. Sobig picks a name at random from address book
4. SoBig emails everyone else in your address book and spoofs the random person's email.

If users got an email seemingly from you that had the virus, it wasnt you.

hijinks21 · 08-22-2003, 12:54 PM

In outlook you don't even need to open the attachement. In un-patched versions they can just write some js code to auto exc the virus. Thats why I banned users from using outlook for the company i worked for.

Skraggy_uk · 08-22-2003, 01:00 PM

OK. I don't know if I'm patched at Outlook/OS level.
But I have all the latest updates to F-Prot AV.

I'm not infected according to F-Prot.
My Mail server (on the same Lan) also uses F-Prot both as an OS Anti Virus, and as part of the Mailserver as an internal AV extension.

My machine scans fine. the mailserver machine scans fine.
The Mailer Daemon and its AV subsystem is picking up bucket loads of SoBig attachments and rendering them harmless/deleting them. So I pretty much have to be clean. You would hope.

hijinks21 · 08-22-2003, 01:14 PM

Skraggy_uk, one would hope

User Name		Remember Me?
Password