[Dshield] Return/Revenge of SoBig?
jeff-kell at utc.edu
Sat Feb 7 04:42:29 GMT 2004
For whatever reason, I had a rash of SoBig.F (apparently the F variant)
break out today (Friday) in the publicized Friday [ or Sunday] 1900-2200
GMT timeframe for it to "phone home" to a list of servers on udp/8998.
They also had udp/995-999 open, everything matches the F variant
although I haven't had my hands on an infected machine yet (just whacked
It was supposed to stop replicating Sep 10 2003 which may well be true
as there was no associated mass-mailing from the affected machines, but
the virus is still trying to do the phone-home thing to the machines
listed in McAfee's database (search them for SoBig.F, I don't have the
URL handy at the moment).
Anyone else seeing this activity (or are you looking for it)? It isn't
University of Tennessee at Chattanooga
More information about the list