[Dshield] looks like a new virus via spaming

Coxe, John B. JOHN.B.COXE at saic.com
Tue Aug 19 19:03:33 GMT 2003


They also come in (the pifs and scrs) in zips.  So if your scanner doesn't
open those zips, they'll pass right on through.  We are also in the middle
of confirming that the most recent ones are using random address book /
directory addresses as its originator address.  That will compound the
problem of sourcing an infection.

-----Original Message-----
From: Louis Hablas [mailto:Lou.Hablas at rzim.org]
Sent: Tuesday, August 19, 2003 11:51 AM
To: 'General DShield Discussion List'
Subject: RE: [Dshield] looks like a new virus via spaming


Seeing the same thing here...Looks like Sobig.F; attempting to come via .scr
and .pif attachment...make sure you're stripping these extensions at the
door.



-----Original Message-----
From: Coxe, John B. [mailto:JOHN.B.COXE at saic.com]
Sent: Tuesday, August 19, 2003 2:28 PM
To: 'General DShield Discussion List'
Subject: RE: [Dshield] looks like a new virus via spaming


This one is all over.  Variations appear to exist as well.  Starting to see
a lot of them using addresses at winzip.com for originators (help@,
support@, and sitesales@) lately.

-----Original Message-----
From: Dan [mailto:dan at dbdigitalweb.com]
Sent: Tuesday, August 19, 2003 10:32 AM
To: General DShield Discussion List
Subject: Re: [Dshield] looks like a new virus via spaming


Hello all,
Well I just got mail bombed with some new virus (at least that was my
bet)called movie0045.pif.  It was all deleted before it reached my machine
(mail washer).  The subjects vary between Your details, that movie,
approved, thank you!, or wicked screen saver.  They appear to come from
various sources, but I suspect that it is all the same spamer just using
various different paths open to him as they all came in to the same email
address at only a few minutes/seconds appart.

Just wondering if anyone else has seen this.

Oh I forgot to mention about 30 of these hit my mailbox so far and still
comming.  And it looks like some of them used my email as a return address
as I got a message from one of them:

"The mail message you sent to (*******************) on 08/19/2003 11:27:38
with the file wicked_scr.scr contains the WORM_SOBIG.F virus. If you have
questions regarding files or updating/installing Anti-virus protection on
your PC, please contact your e-mail administrator or help desk."

So it appears that the ones named "wicked screen saver" did have the sobig
virus.  And I bet that the rest of them did as well.


-Dan

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list


The information contained in this message may be CONFIDENTIAL and is for the
intended addressee only.  Any unauthorized use, dissemination of the
information, or copying of this message is prohibited.  If you are not the
intended addressee, please notify the sender immediately and delete this
message.

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list