[Dshield] Return/Revenge of SoBig?

Jeff Kell jeff-kell at utc.edu
Sat Feb 7 04:42:29 GMT 2004


For whatever reason, I had a rash of SoBig.F (apparently the F variant) 
break out today (Friday) in the publicized Friday [ or Sunday] 1900-2200 
GMT timeframe for it to "phone home" to a list of servers on udp/8998.
They also had udp/995-999 open, everything matches the F variant 
although I haven't had my hands on an infected machine yet (just whacked 
them).

It was supposed to stop replicating Sep 10 2003 which may well be true 
as there was no associated mass-mailing from the affected machines, but 
the virus is still trying to do the phone-home thing to the machines 
listed in McAfee's database (search them for SoBig.F, I don't have the 
URL handy at the moment).

Anyone else seeing this activity (or are you looking for it)?  It isn't 
dead yet!

Jeff Kell
System/Network Security
University of Tennessee at Chattanooga




More information about the list mailing list