[unisog] Sobig.f with stripped attachments.

Joseph Brennan brennan at columbia.edu
Wed Aug 27 12:57:19 GMT 2003

> We've been inundated with email from Sobig.f which did not
> include the attachment.  . . .
> Well, yesterday we saw the ``stripped off'' attachments originating
> from a local machine.

Confirmed-- many of these, and a sample from a local PC came
straight to our mail server.  The Content-Type says multipart
but it actually has only the one text/plain part.

It can be caught by checking for the distinctive mime boundary string
/boundary=\"_NextPart_000_........\"/ in the Content-Type header,
the same as messages with the actual virus.

We had 375,000 yesterday-- that combines the virus and the messages
missing the virus.

Joseph Brennan         Columbia University in the City of New York
Academic Technologies Group                   brennan at columbia.edu

More information about the unisog mailing list