[unisog] sobig.f SMTP hosts?

Russell Fulton r.fulton at auckland.ac.nz
Wed Aug 20 20:35:35 GMT 2003

On Thu, 2003-08-21 at 06:30, Pollock, Joseph wrote:
> Like everyone else, we're seeing a lot of sobig.f delivered to the campus.
> I've looked at the tech descriptions from the major antivirus vendors, and
> they all agree that the virus has its own SMTP engine, but unlike some
> previous advisories, there is no list of SMTP servers used by the virus.

The virus uses MX records which it gets by doing DNS lookups. I have
been picking up infections really quickly by analysing outbound DNS
traffic and looking for user machines that are talking to the root name
servers.  All but a handful of machines are configured to use our local
DNS servers so sobig infections stand out.

My watcher program actually picks them up as outbound scans on port 53.

Russell Fulton, Network Security Officer, The University of Auckland,
New Zealand.

More information about the unisog mailing list