I just wanted everyone to be alert to a new worm, Win32.Sobig.F worm. This is the followup to the Win32.Sobig.E worm that was running around the 'net last month and went inactive on July 13.

The worm will send itself to email accounts with the following Subject lines:
Re: Thank you!
Thank you!
Your details
Re: Details
Re: Re: My details
Re: Approved
Re: Your application

Re: Wicked screensaver
Re: That movie

The attachment name is chosen at random from the following list:

your_document.pif
document_all.pif
thank_you.pif
your_details.pif
details.pif
document_9446.pif
application.pif
wicked_scr.scr
movie0045.pif

The message body reads either:

Please see the attached file for details.

or

See the attached file for details

The worm is reported to spoof the 'From' address, so that it appears to come from a different address than that of the affected machine.

The worm appears to search files with the following extensions for e-mail addresses to send to:

txt
eml
html
htm
dbx
wab

Please go to CA's site here here (http://www3.ca.com/virusinfo/virus.aspx?ID=36376) to get the full scoop and a cleaning utility. This is especially useful for people who do not use CA's AV products.

Thanks just updated the anti-virus sw.

Got this one 5 times in a span of 5 minutes tonight. Didn't open any of the attachments so I'm OK, right??

[ QUOTE ]
Timberwolf said:
Got this one 5 times in a span of 5 minutes tonight. Didn't open any of the attachments so I'm OK, right??

[/ QUOTE ]

You should be fine. Go ahead and run an E-Trust scan to be sure, if you think your PC's performance is being affected.

I got about 18 of them this morning in the space of a few hours myself.

Will do. Thanks, nos.

btw - I checked the 'properties' box by right-clicking on the email and all of them look to originate from the same place (a university). I'm thinking I should email the 3 people in my addy book to inform them. Whaddya think?

[ QUOTE ]
Timberwolf said:
btw - I checked the 'properties' box by right-clicking on the email and all of them look to originate from the same place (a university). I'm thinking I should email the 3 people in my addy book to inform them. Whaddya think?

[/ QUOTE ]

The worm uses header 'spoofing', that is, it will take a random email address that is on an infected machine and use that in the "From:" field in the email. So, just because the mail has a "From: John Smith" in it, does not mean it came from John Smith's computer. It would just be that his name happened to be on that machine's address book.

These type of worms etc., happen because of a couple of reasons.

1) People do not have AV software on their machines, or they have one, but never update it.

2) A lot of people use Outlook Express as their email program. Outlook Express is a piece of garbage email client that has numerous security holes. I always recommend Eudora (http://www.eudora.com/) for people looking for a good email program. I myself have been using it since 1995 and it has the best features and a lot fewer holes in it than OE.

It comes in three forms. Free (which does not include all of the program's features), Sponsored (which is the full program and has a small box in which ad banners rotate, but it is very unobtrusive. It is also free.) and Paid, which is the full, ad-free version.

Note : Eudora, and for that matter, most other mail programs will NOT work with AOL email accounts. AOL uses a propreitary mail system that runs through their own mail servers and cannot be accessed outside their own environment. (Just one more reason, among millions, for people to dump AOL)

I want to find the SOB that launched this one and snap his #%@$ing neck!! http://freeconservatives.com/ubbthreads/images/graemlins/icon122.gif

I recieved on Tuesday 253 virus laden E-mails that completey clogged my inbox. http://freeconservatives.com/ubbthreads/images/graemlins/icon122.gif

Although I don't have the virus and am familiar with the attachments that carry it...the sheer volume in my inbox on my ISP server completey shut it down and now I've had to change my main E-mail address because of it. http://freeconservatives.com/ubbthreads/images/graemlins/icon130.gif

Anyway I got several nasty E-mails from my ISP telling me that my inbox was past my limit...I let them have it with both barrels and told them that if they would do their #$%@ing job and screened E--mails for known highly replicating viruses/worms instead of sitting on their asses, they could help curb the problem instead of contributing to it. http://freeconservatives.com/ubbthreads/images/graemlins/icon119.gif

I don't know whether Earthlink pre-filters some of the cr@p or our PC-Cillin does or I'm just not hanging out with the right folks, but I haven't seen any of these. Our family policy is not to open any e-mails with attachments until confirming with the "sender" (only those known to us) that they really sent it. Ducked a good number of virii that way. Blaster got in (PC-Cillin caught and quarantined it) and we got several copies of a virus passed through Kazaa, which PC-Cillin 2000 missed, even with pattern updates, but 2003 quarantined. PC-Cillin 2003 has a SW firewall, though how good, quien sabe? We got rid of all concerned, but what a time burner!