Re: [Full-Disclosure] SoBig.F strange problem

From: Joseph L. Hood (fnab_at_acerbus.com)
Date: 08/19/03

  • Next message: KF: "Re: [Full-Disclosure] SCO Web Site Vulnerable to Slapper?" 
    To: full-disclosure@lists.netsys.com
Date: Tue, 19 Aug 2003 15:55:35 -0400 (EDT)

    The virus writes to addresses found in the addressbook, it also seems to
    use random addresses, from the addressbook, as return addresses. Look at
    the headers to determine where the email is really originating.

    More than likely you're getting hit from someone you know.

    On Tue, 19 Aug 2003, Scott Phelps / Dreamwright Studios wrote:

    >
    > All day today I've been getting copies of SoBig.F. I've gotten around 150
    > copies so far, and a large number of postmaster bounces saying that a copy
    > sent from my address was undeliverable.
    >
    > I know that SoBig forges the from address from files it finds on the victims
    > machine, but I can't for the life of me figure out why I'm the attempted
    > victim for so many other copies. I'm not infected with the virus, I'm
    > running antivirus that strips the attachment before it lands in my inbox,
    > and I'm running a version of outlook that disallows the attachment
    > extensions that SoBig uses. I've run manual scans on all of my machines, in
    > case of infection through a network share, but I don't have any of those
    > from outside either. All the emails seem to be coming from different places,
    > but around 90% are using a from address of @msu.edu.
    >
    > Is there some logical explanation why I'm being singled out here? My
    > antivirus is driving me insane with popups, so I've had to shut down my mail
    > program to get some work done.
    >
    > I'm sorry for the off topic nature of this question, but this makes no sense
    > to me!
    >
    > Scott
    >
    >
    >
    >

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html

  • Next message: KF: "Re: [Full-Disclosure] SCO Web Site Vulnerable to Slapper?"

    Relevant Pages

    • Re: AIDS
      ... virus, but only "markers" that can be generated by totally non-viral ... PMID: 9126268 ... No test of tests for any infection or any other medical condition ... molecular clone from a patient with primary infection. ...
      (sci.med.nutrition)
    • Re: A letter I agree with
      ... giving off the virus) they are NOT carriers but infectious. ... say that do not know the origin of the virus in reds. ... Your attempt at changing the meaning of what the scientists mean. ... any particular site of infection and that the scientists do not believe ...
      (uk.environment.conservation)
    • Re: A letter I agree with
      ... carriers but a carrier is a specific term. ... giving off the virus) they are NOT carriers but infectious. ... say that do not know the origin of the virus in reds. ... any particular site of infection and that the scientists do not believe ...
      (uk.environment.conservation)
    • Re: Watch out for this
      ... The 'swen' worm and its effects, ... there is not much you can do to stop the flood. ... e-mail for virus infection. ... You can use a remote virus scan from one of the antivirus program ...
      (microsoft.public.security.virus)
    • Re: [Full-Disclosure] Looking for BKDR_IRCFLOOD.X
      ... when using Trendmicro's Housecall virus scan they ... Trendmicro virus scan is detecting that you are infected with ... is told to you by Trendmicro. ... This obviously only applies if there was actually an infection detected. ...
      (Full-Disclosure)