Received 137 emails this morning, but my virus checker got them all. The new virus "notsobig". This is not the blaster virus running around last week.

Got 3 from Chic Worthing. A couple from Atkinson Hunting adventures. Several from swamp at hunt america. Several from African Hunter. And many from names I have seen on the forums.

So, the virus is either picking up email addresses from the forums, or on your hard drive picking out addresses, or something else!

Anyway, if all you folks are not using a new, updated virus checker, you be in a heap of trouble boy!!! I am using Norton Antivirus 2003, it automatically logs on to the Norton site and checks for any new virus on the net.

Most of the virus's are around 99 to 135 K, the body of the message says "See attached details". If you open the attachment, you got the bug!! Many of the emails have the titles: Your Details, My Details, Wicked Screen Saver, Returned Email, Our Trip, etc. The titles are an easy trap to fall for.

[ 08-20-2003, 19:51: Message edited by: John Ricks ]

I use Norton Internet Security 2003. I had nothing untoward this morning after being away for about 4 days. I automatically delete anything I don't recognize, no questions asked.

Yep, same thing here. Get rid of the stuff, don't open garbage.

It's likely this new one is pulling email addresses off scam sites in addition to the regular forums we look at.

I got one from Chic this monring myself, said something about me having a virus and open file for directions on fixing it. Said the attachment wasn't infected and was scanned already etc. I deleted it and verified my virus scanner, Mcafee, was fairly current on updates.

I hate people that write viruses. I would like to tell all of you what I want to do to those kind of people, but don't want anybody to get scared :-) Let's just say it involves a potatoe peeler, salt, and a cheese grater.

Red

Yeah, Chic must have written the virus, cause I got one from him too.

Just kidding Chic, but your computer is screwed. John is right about the norton. That's what you really need to get. Actually, what I use is Spamkiller, plus Norton Antivirus. It's kinda like double protection, like wearing two condoms when you go to the cat house

Also get zonealarm. The virus is using using its own SMTP engine to send the mails, ZoneAlarm might prevent this 'unknown' process from accessing the net.

You can get a free version HERE .

-Steve

Most likely the new Blaster Worm, has already infected millions. Microsoft has the fix for it Here if you are already infected.
Also remember there are alot of new worms and virii that do not use mail, they scan for addresses and propgate thru openings in your security. Best way to avoid these is run your windows update and get all the security patches.

I have spent the last 2 days at the office trying to clear it up here. It's giving us fits and I cant seem to find the culprit. FYI just because it says it came from chic does not mean it came from him. Runtime will catch it when you open it if you had updated definitions but if you have the bug it can be difficult to get rid of. It runs in the background and starts when when your computer turns on. We had to write a script to delete it. If you have it norton can't quarantine it if it is running.

Bama

Naw, I did not mean it came from Chic, just for everybody to look for the darn thing and get rid of it. Guys like us are on so many sites that our address can be yanked from a lot of places.

Maybe this worm is clever, yanks up email addresses to send to and also yanks up adresses to use in the "From" space.

My server lets me look at the email address and where it comes from before downloading, so it is easy for me to get rid of the stuff. Norton Virus checker, my spam blocker and firewall take care of the other trash.

About the only use I can think of for the guys that write this trash is to hold targets in front of their chest as I regulate the sights on a 458 Lott.

I got it from Chic this morning as well, but deleted it before I got too far...

Strange thing is, that I recently changed email addresses, and I know that I haven't emailed Chic (send OR receive) since then, so it apparently is attaching somehow other than the "standard" address book type virus.

I think Chic is guilty. He called me several times today from his cell phone. He was on the way to Seattle, don't know why as he hates the place. I think he is running.

[ 08-21-2003, 23:16: Message edited by: Howard ]

It definitely 'gleans' addresses from various files. Here its MO from McAfee:

quote:

---

Virus Characteristics


This detection is for a new variant of W32/Sobig. In common with previous variants, the worm is written in MSVC, and bears the following characteristics:

propagates via email, constructing outgoing messages with its own SMTP engine
propagates over network shares (not confirmed in testing yet)
Note: The worm carries garbage data appended to end of file, so exact filesize and file checksum may vary.

Installation

The worm copies itself onto the victim machine as WINPPR32.EXE into %Windir%, for example:

C:\WINNT\WINPPR32.EXE
A configuration file is also dropped to %Windir%:

C:\WINNT\WINSTT32.DAT
The following Registry keys are added to hook system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"TrayX" = %Windir%\WINPPR32.EXE /sinc

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"TrayX" = %Windir%\WINPPR32.EXE /sinc
Mail Propagation

The worm mails itself to email addresses harvested from the victim machine, using its own SMTP engine to construct outgoing messages. Target email addresses are harvested from files with the following extensions:

DBX
HLP
MHT
WAB
EML
TXT
HTM
HTML
Outgoing messages are constructed as follows:

Subject:

Your details
Thank you!
Re: Thank you!
Re: Details
Re: Re: My details
Re: Approved
Re: Your application
Re: Wicked screensaver
Re: That movie
Attachment:

your_document.pif
document_all.pif
thank_you.pif
your_details.pif
details.pif
document_9446.pif
application.pif
wicked_scr.scr
movie0045.pif
Body:

See the attached file for details
Please see the attached file for details
The "From:" address may be spoofed with an address extracted from the victim machine. Therefore the perceived sender is most likely not a pointer to the infected user.

Contacting Remote NTP Servers

The worm contains a list of IP addresses for remote NTP servers, to which it sends NTP packets (destination port 123).

Self-Termination

In common with previous W32/Sobig variants, this variant contains a date triggered self-termination routine. If the date is September 10th 2003 or later, the worm will no longer propagate.



Indications Of Infection


Existence of the WINPPR32.EXE file in %WinDir%
Existence of the Registry hooks detailed above
Unexpected NTP traffic to remote servers

---

Ah yes, viruses that attack outlook mail clients. Another reason to use Lotus Notes!

Generally I find that a computer loaded with viruses is indictive of a computer that often visits thehun

Hmmmmm!

I think Chic is quilty. He called me several times today from his cell phone. He was on the way to Seattle, don't know why as he hates the place. I think he is running.

If you're right maybe he only wanted you to think he was going to Seattle to throw you off the scent.

Jeff

Hey Jeff, he let you see your stock yet?

You guys have all the fun with virus's you want. I gave up fighting the virus's thing last year. Can you say "Apple" And it's been working for me ever since.

John,

Not yet. He told me a few days ago that the wood is too nice for a rifle so he is going to use it to make jewelery boxes to sell at craft shows

Jeff

Steve,

HOLY FREAKIN SHIT BATMAN!!!! I'm being bombarded by every e-mail subject line on the list you posted up there as we speak!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

I freaked out when I got that virus last month, the blaster one. The instructions from Norton or one of thems website walked me through it to get rid of the files etc, what a learning curve that was. I was able to stop the computer shutting down by saving the instructions to a word document to read before logging on and getting HIT AGAIN with almost immediate shutdown. After turning on the firewall or something, it let get to MS to download the patch. What a friggin nightmare that was...

I did a search of my C drive and never found the file you mentioned.

I have the preview pane shut off on the Outlook Express program and haven't opened any of the emails so I think that's why I haven't got it so far. The attachments and emails from this friggin thing are boggin down my email severely, hurry up and wait type deal.

Any way to fix the damn thing yet?

I'd change my email address but, it'd probably just start sending emails to it shortly afterward....

Here's one I just got, it's got no attachment, what the hell, is it safe or just a trick to get you to open it too?

From: Postmaster@state.mn.us

Subject: Warning - Virus Detected: W32/sobig.f@MM

Date: 8/22/03 4:38PM

Brent,

Go HERE and download the stinger program. I haven't tried it, but it's supposed to remove the 'Sobig' virus, plus a bunch more. This is from McAfee so it should work.

You may not have the virus if you never opened the attachment.

The e-mail that you recieved that stated the the virus was detected and removed was proabaly from ISP or one of the IPS's in the e-mails path. Check wiht your ISP to find out.
They probably installed a filter.

Let me know how it goes and good luck!!

-Steve

[ 08-23-2003, 07:01: Message edited by: Steve ]

This is crazy; I am being inundated with this virus. I have received hundreds of emails, many from address that look familiar. I have also gotten numerous emails stating your email can�t be delivered as addressed yet they are in response to emails I never sent. I have run the Norton removal tool and I don�t have the virus on my computer also Norton notifies me every time that the emails are infected and blocks access to them. What a pain in the neck.

Howard,

I started to get those emails of failed delivery last night too, now I'm getting ones that say a virus was detected in a message I sent them, and I've sent no messages to them, what a trick, I ain't opening them.

One's from "NAV for Microsoft exchange" Norton detected and quarantined a virus in a message you sent

The other from davidjohnson@kynite.com" Symantec detected a reparable/quarantined virus in a message you sent

Those two subject line don't sound the same do they? Funny they use the same words at the end... no attachments in these ones here tho, I still don't think they're safe to preview though.

I imagine they'll start flowing in and clogging up my email now, the others are sure doing a fine job at it so far, over 75 of them over the night alone, and all had the virus mentioned here, at least they all had attachments and one of the subject lines mentioned above and I never opened one yet.

Thanks Steve!!