mailing list archives
Re: Annoying virus being mailed to me
From: "Don Voss" <voss () albany edu>
Date: Fri, 07 Feb 2003 15:13:49 -0500
On 7 Feb 2003 at 10:54, Chris Carter wrote:
Hi guys, For the last two months or so I have been receiving emails
with the I-Worm/Sobig virus attached about twice a day. My anti-virus
sw protects me well so I am not infected in any way (nor has anybody
else here). Initially, I used to ignore the messages and delete them;
after a couple of weeks I decided to trace the source IP from the mail
header and send complaint messages to the corresponding ISP. But the
Bast**d keeps finding other IP's to mail me from. Messages come from
big () boss com Is anyone else being targeted? Is this a common
occurrence? Am I the only one?
Are you joking ?
Well maybe not .. so here is the scoop. This is just another mass-mailer
virus/worm event. The reason the ip address changes is that other users
are being infected .. then transmitting. Another factor is that [ as
mentioned below], it will mail it self to all email addresses found in
various document formats found on the infected machine.
So .. I get these .. we all probably got/get a few a day/week. Depends
how long you have had your email address and what kind of organization
you work for + your circle of contacts. Add it all up .. it is a numbers
So .. here at the university .. I've had this address and others for 16+
years .. multiple variants are still aliased to the current. I am in
various documents across multiple departments, on campus web pages, in
university charts, university staff address books, on and on.
These people take work home ...so a data file / address book with my
email address may be there .. their children use the units .. they go to
school and use a lab ..
I post in listserv groups for years .. people have mail archives /
address books / htmlized versions of listserv material on their pcs ..
now we are across national borders ..
So who is sending me stuff from big () boss com .. who knows .. and who
cares .. as long as its not from a unit I currently am responsible for ..
I just delete and move on .. I personally would not spend a minute
looking for virus generated email or commercial spam email .. I just
filter and delete. It's a shame yes .. but not worth any effort to chase
down at this time. Maybe when we have better laws regarding it .. and
fines .. !! .. it would be worth keeping track of.
Details stolen from symantec www site.
As of January 13, 2003, due to an increase in submissions, Symantec
Security Response has upgraded this threat to a Category 3 from a
The W32.Sobig.A () mm worm sends itself to all the addresses it finds in the
.txt, .eml, .html, .htm, .dbx, and .wab files. The email message has the
From: big () boss com
Subject: The subject will be one of these:
Re: Here is that sample
Attachment: The attachment will be one of these:
Before W32.Sobig.A () mm sends the messages, it sends a message to an
address at pagers.icq.com.
The worm also attempts to copy itself to the following folders on all the
open network shares:
\Windows\All Users\Start Menu\Programs\StartUp
Documents and Settings\All Users\Start Menu\Programs\Startup
Note: Symantec Security Response has received reports of W32.Sobig.A () mm
downloading and installing the Backdoor Trojan, Backdoor.Lala.
Also Known As: W32/Sobig [McAfee], WORM_SOBIG.A [Trend], W32/Sobig-A
Infection Length: 65,536 bytes
Systems Affected: Windows 95, Windows 98, Windows NT, Windows 2000,
Windows XP, Windows Me
Systems Not Affected: Macintosh, OS/2, UNIX, Linux
The above text stolen from :
http://www.symantec.com/avcenter/venc/data/w32.sobig.a () mm html
Don Voss voss () albany edu
Sr. Programmer Analyst
Geography & Planning Department
The University at Albany, SUNY
Albany, NY, 12222-0100
"No matter how cynical you get, it is impossible to keep up."
- Lilly Tomlin