Home page logo
/

nanog logo nanog mailing list archives

Re: Brace yourselves.. W32/Sobig-F about to mutate...
From: up () 3 am
Date: Fri, 22 Aug 2003 14:16:32 -0400 (EDT)



Just started getting it here...it came from a local Comcast cable user,
and so overwhelmed the mail server, that SpamAssassin and qmail-scanner
stopped scanning it.  I had to nullroute that IP to stop it...

it looks like this:

Return-Path: <admin () duma gov ru>
Delivered-To: james () pil net
Received: (qmail 77869 invoked from network); 22 Aug 2003 17:39:16 -0000
Received: from unknown (HELO localhost) (68.32.237.213)
  by richard2.pil.net with SMTP; 22 Aug 2003 17:39:16 -0000
From: "Microsoft" <security () microsoft com>
To: <james () pil net>
Subject: Use this patch immediately !
MIME-Version: 1.0
Content-Type: multipart/mixed;boundary="xxxx"
Parts/Attachments:
   1 Shown      3 lines  Text
   2          9.6 KB     Application
   3 Shown      0 lines  Text
----------------------------------------

Dear friend , use this Internet Explorer patch now!
There are dangerous virus in the Internet now!
More than 500.000 already infected!

On Fri, 22 Aug 2003 Valdis.Kletnieks () vt edu wrote:

A quick heads up, if anybody hasn't heard:

At 1900GMT today, ET phones home, and picks up the next payload of
instructions.  Nobody knows (yet) what they'll be, but SoBig-E erased itself,
put in a password grabber, and then installed a mail proxy for spammer use.

This one *may* just play the theme song from Bozo the Clown and erase itself,
but I severely doubt it's gonna be that nice.

http://www.f-secure.com/news/items/news_2003082200.shtml



James Smallacombe                     PlantageNet, Inc. CEO and Janitor
up () 3 am                                                          http://3.am
=========================================================================


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]