RE: The sobig worm and ME
From: Rita Nikas [MSFT] (ritan_at_online.microsoft.com)
Date: 08/24/03
- Next message: Kent: "98SE firewall with dial-ip"
- Previous message: Alex Yu: "Re: Q about silent install - MS03-026 (823980)"
- In reply to: Doug: "The sobig worm and ME"
- Next in thread: Susan Bradley, CPA aka Ebitz SBS Rocks [MVP]: "Re: The sobig worm and ME"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 24 Aug 2003 04:55:33 GMT
Hi Doug.
Here's the information about the sobig virus, located at
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/
virus/alerts/sobig.asp:
PSS Security Response Team Alert - New Worm: W32.Sobig.A and Variants
SEVERITY: MODERATE
DATE: August 20, 2003
PRODUCTS AFFECTED: Microsoft Outlook, Microsoft Outlook Express, and
Web-based e-mail
A home user version of the virus alert is available at:
http://www.microsoft.com/security/antivirus/sobig.asp
**********************************************************************
WHAT IS IT?
The PSS Security Team is issuing this new alert to advise customers on
W32.Sobig.A and it's variants. Sobig.A and it's variants spread via e-mail
and network shares. The Microsoft Product Support Services Security Team is
issuing this alert to advise customers to be on the alert for this virus
and it's variants as it spreads in the wild. Customers are advised to
review the information and take the appropriate action for their
environments.
IMPACT OF ATTACK:
Mass-mailing
TECHNICAL DETAILS:
W32/Sobig.A@MM spreads via e-mail and network shares. This worm typically
spoofs an address ending in @microsoft.com. Many of the addresses are valid
addresses that are being spoofed for malicious purposes. Microsoft does not
send unsolicited e-mail containing attachments to our customers.
Information on Microsoft’s official response to all viruses of this nature
can be found here:
http://www.microsoft.com/technet/security/news/patch_hoax.asp
Message characteristics vary for each variant of the Sobig virus. Technical
information from each variant is available below from Microsoft Virus
Information Alliance (VIA) Members.
For additional details on this worm from anti-virus software vendors
participating in the Microsoft Virus Information Alliance (VIA) please
visit the following links:
Computer Associates
SoBig.A
http://www3.ca.com/virusinfo/virus.aspx?ID=13983
SoBig.B
http://www3.ca.com/virusinfo/virus.aspx?ID=35204
SoBig.C
http://www3.ca.com/virusinfo/virus.aspx?ID=35347
SoBig.D
http://www3.ca.com/virusinfo/virus.aspx?ID=35549
SoBig.E
http://www3.ca.com/virusinfo/virus.aspx?ID=35652
SoBig.F
http://www3.ca.com/virusinfo/virus.aspx?ID=36376
Network Associates:
SoBig.A
http://vil.nai.com/vil/content/v_99950.htm
SoBig.B
http://vil.nai.com/vil/content/v_100307.htm
SoBig.C
http://vil.nai.com/vil/content/v_100343.htm
SoBig.D
http://vil.nai.com/vil/content/v_100397.htm
SoBig.E
http://vil.nai.com/vil/content/v_100429.htm
SoBig.F
http://vil.nai.com/vil/content/v_100561.htm
Trend Micro:
SoBig.A
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOBIG.A
SoBig.B
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOBIG.B
SoBig.C
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOBIG.C
SoBig.D
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOBIG.D
SoBig.E
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOBIG.E
SoBig.F
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOBIG.F
Symantec:
SoBig.A
http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.a@mm.html
SoBig.B
http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.b@mm.html
SoBig.C
http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.c@mm.html
SoBig.D
http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.d@mm.html
SoBig.E
http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.e@mm.html
SoBig.F
http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html
Sybari:
SoBig.A
http://www.sybari.com/alerts/alertdetail.asp?Name=W32/Sobig@MM
SoBig.C
http://www.sybari.com/alerts/alertdetail.asp?Name=W32/Sobig.c@MM
SoBig.E
http://www.sybari.com/alerts/alertdetail.asp?Name=W32/Sobig.E@mm
SoBig.F
http://www.sybari.com/alerts/alertdetail.asp?Name=W32/Sobig-F
For more information on Microsoft’s Virus Information Alliance please visit
this link: http://www.microsoft.com/technet/security/virus/via.asp
PREVENTION:
1) Block harmful attachment types at your Internet mail gateways. For this
particular worm customers should block all attachments with the .pif
extension. (Note: the attachment extension may be truncated to .pi in some
instances)
2) Ensure the following prevention steps are taken:
Outlook 2000 post SP2 and Outlook XP SP1 include the most recent updates to
improve the security in Outlook and other Microsoft Office programs. This
includes the functionality to block potentially harmful attachment types.
If you are running either of these versions, they will (by default) block
the attachment, and you will be unable to open it.
To ensure you are using the latest version of Office click here:
http://office.microsoft.com/ProductUpdates/default.aspx
By default, Outlook 2000 pre-SR1 and Outlook 98 did not include this
functionality, but it can be obtained by installing the Outlook E-mail
Security Update. More information about the Outlook E-mail Security Update
can be found here:
http://office.microsoft.com/Downloads/2000/Out2ksec.aspx
To find out what attachment types are blocked by Outlook please see this
Microsoft Knowledgebase Article:
http://support.microsoft.com?kbid=290497
Outlook Express 6 can be configured to block access to potentially-damaging
attachments. Information about how to configure this can be found here:
http://support.microsoft.com?kbid=291387
Outlook Express all other versions: Previous versions of Outlook Express do
not contain attachment-blocking functionality. Please use extreme caution
when you open unsolicited e-mail messages with attachments.
Web-based e-mail programs: Use of an application-level firewall can protect
you from being infected with this virus through Web-based e-mail programs.
RECOVERY:
If your computer is infected with this virus, update your virus signature
files to detect and remove the virus. Please contact Microsoft Product
Support Services or your preferred antivirus vendor for assistance with
removing it.
RELATED KB'S: (Updated in 24 hours)
http://support.microsoft.com/?kbid=821454
As always please make sure to use the latest Anti-Virus detection from your
Anti-Virus vendor to detect new viruses and their variants.
If you have any questions regarding this alert please contact your
Microsoft representative or 1-866-727-2338 (1-866-PCSafety) within the US,
outside of the US please contact your local Microsoft Subsidiary.
PSS Security Response Team
Sincerely,
Rita Nikas, MCSE MCDBA
Microsoft MVP Lead
Product Support Services
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Subject: The sobig worm and ME
| Date: Sat, 23 Aug 2003 21:05:56 -0700
|
| I have read the articles and I hear the claims that it
| does NOT affect windows ME.... this isnt true. My PC is
| suffering fromt he same effects that the others are, that
| possess this worm. I need some help. Any advice as to
| where I can find a patch to delete this nasty bug? Is it
| going to come down to me reformatting this PC? Are there
| any solutions for ME, or is it not a recognized problem
| yet? Please help if you can.
|
- Next message: Kent: "98SE firewall with dial-ip"
- Previous message: Alex Yu: "Re: Q about silent install - MS03-026 (823980)"
- In reply to: Doug: "The sobig worm and ME"
- Next in thread: Susan Bradley, CPA aka Ebitz SBS Rocks [MVP]: "Re: The sobig worm and ME"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
