W32.Sobig.F@mm worm/virus going around

[Gwarsbane]

There is a new worm/virus going around called W32.Sobig.F@mm

This thing is causing problems all over the place. Alot of big companies have been hit. I myself have had at least 7 or 8 messages with the worm/virus included with them.

Thankfully I run Agent as my e-mail program and it doesn't auto run attachments like Outlook/Outlook Express does.


**WARNING**

Before running the removal tool make sure you read all the instructions on the page first. If you are not sure what do to then get check with a local Tech freind. If yo uare work make sure your network admin knows of this removal tool.

Also make sure that your windows updates are upto date and that your antivirus program is also upto date.


Here is the removal tool for it, again make sure you read all the instructions first before using the tool. <A HREF=http://www.symantec.com/avcenter/venc/data/[email protected] TARGET=_NEW>W32.Sobig.F@mm removal tool</A>

[PIX]

Yuppers....luckily i have been on the ball here at work with updates. Our Notes server
has blocked over 200 since yesterday for SoBig.
I'd like to have just 5 minutes with this wimpass creators and let them know how puny they really are.

[evil_admin]

PIX,

You admin Domino servers also? I started out as Domino Developer/Admin and only recently have gone to the dark side and done ASP/SQL. My screenname, desNotes, came from being a Notes developer.

evil_admin

[Guest]

That's really funny, coz I haven't had a single one... you must have gotten all mine!:)

[PIX]

Actually, Domino makes my stomach knot up. I HATE it. I am pushing them to rid themselves of all IBM products. We have Notes, Sametime and Teamplace. I'd rather have Exchange.

[Guest]

I was an Exchange admin for ages... I've seen/used notes... I know I'd pick Exchange any day for email stuff, though Notes does have some niceties...

[sage_4]

is the svchost error in win2k related to this worm?

[sage_4]

nm, did some research, turns out its the blaster worm. not really comforting news, but it's fixed now.

[Guest]

What's really funny is that the AV vendors have all released an update to cure Blaster.D which actually moves quicker, hogs more bandwidth, but only because it actually installs the correct MS patch to cure the Blaster-style infection!

[GRITS]

The way they work

"I didn't send a message to this person, in fact I don't even know them! Why did I get a message from an administrator saying my message was infected with a virus, or undeliverable?"

Answer:
These viruses use a technique called "spoofing". Spoof is a term for falsifying the e-mail headers (pretending to be from someone it's not). What happens is that on an infected machine, the virus looks through the users' address books and mailboxes and randomly selects e-mail addresses. It uses these for both the "to" and the "from" fields so that it appears the message is legit. So when a mail server blocks the attachment, or the message, it bounces it to the sender's address even if that's not really where it came from. So it generally means that the recipient of the blocked attachment message probably corresponded with someone that became infected.

Check here and here
if you want more information

[Guest]

It's worse for us sysadmin's... coz we generally get ten tonnes more copies that bounce, etc :/ Fortunately, if you have your email configured right then those that use the mail server to relay would be bounced... those viruses that use their own SMTP mailer built in.. well... that sucks...

still, I am almost done configuring our firewall at work so that the ONLY machine that can SMTP is the actual mail server.:)

[jabbahunt]

question, how much of delays are caused by sys admins not being prepared for situations such as these or because they have to do certain steps during these occurances and if so, do these hackers exploit these circumstances.






and to the conspiracy theorists, are you the guys causing this for job security?,hmmmm

[Guest]

Some sysadmin's will always blame the users... but at the end of the day, I say that all users should be classified as lower lifeforms and thus treated with care, and expect nothing back... therefore, the admin should always be prepared (like in the scouts) and if they aren't... then they have to handle the pressure they are put under.:)

[evil_admin]

As we say in the geek realm (with much love)..."users are losers"

[GRITS]

my understanding is that the biggest "users" are the sysadmins....ergo...... :P

[Guest]

no, we aren't users... we are Super Users.. : )

[PIX]

Couple of the bigest problems are people NOT updating their virus protection programs and users
opening stupid attachments. Departments HAVE to implement some kind of operating procedure
and make sure the users know it and agree to it. I put in the Norton Antivirus Server for our internal
and external networks. It is the single point of failure and distributes all the virus updates to all the
boxes in it's subnets. THis takes care of the first problem. The second problem is a little more hands on
and requires you to educate your sheep about what NOT to open.

[Wha?]

Simple: If it has an attachment, and you're at work....

If that doesn't work, start "Negative Reinforcement Day", a once a month event where you duct tape a random luser to a chair in a windowless, soundproof room, and beat them untill they understand why they don't have root access.

[Guest]

Simple: If it has an attachment, and you're at work....

If that doesn't work, start "Negative Reinforcement Day", a once a month event where you duct tape a random luser to a chair in a windowless, soundproof room, and beat them untill they understand why they don't have root access.

Sounds like a plan. I also like my, make-a-user-feel-they-caused-the-internet-to-fail method. A user can't think of anything worse, coz they all assume that it's so big and powerful it can't be affected... that's if they even know what it is....

Oh. and after the recent spate, I added the latest sophos warnings to my website (along with windows news). Might see if there are any other news feeds that I could add there.

[Guest]

Btw, thought you lot might be interested to know about the arrest of a Teenager 'teekid' who allegedly wrote a variant MSBlaster.B ... who knows...

http://www.techweb.com/wire/story/TWB20030829S0003