[Dshield] Return/Revenge of SoBig?

Jeff Kell jeff-kell at utc.edu
Sat Feb 7 04:42:29 GMT 2004

For whatever reason, I had a rash of SoBig.F (apparently the F variant) 
break out today (Friday) in the publicized Friday [ or Sunday] 1900-2200 
GMT timeframe for it to "phone home" to a list of servers on udp/8998.
They also had udp/995-999 open, everything matches the F variant 
although I haven't had my hands on an infected machine yet (just whacked 

It was supposed to stop replicating Sep 10 2003 which may well be true 
as there was no associated mass-mailing from the affected machines, but 
the virus is still trying to do the phone-home thing to the machines 
listed in McAfee's database (search them for SoBig.F, I don't have the 
URL handy at the moment).

Anyone else seeing this activity (or are you looking for it)?  It isn't 
dead yet!

Jeff Kell
System/Network Security
University of Tennessee at Chattanooga

More information about the list mailing list