[Steppes] Virus making the rounds

Kevin Black kblack4 at hotmail.com
Wed Aug 20 10:59:07 PDT 2003 

Actually that's not quite true.  While it may be spoofing the return address 
it is in fact spreading as a worm and gathering address book info, there are 
also variants of the Re. Details (re. movie, re. thanks etc.):

<cut and paste>

NEW YORK - A new strain of one of the most virulent e-mail viruses ever 
spread quickly worldwide Tuesday morning, causing fresh annoyance to users 
worn out by last week's outbreak of the Blaster worm.

The new virus, named "Sobig.F" by computer security companies, attacks 
Windows users via e-mail and file-sharing networks. It also deposits a 
Trojan horse, or hacker back door, that can be used to turn victims' PCs 
into senders of spam e-mail.

MessageLabs Inc., a company that filters e-mail for corporations, had 
blocked more than 100,000 copies of Sobig.F by midday Tuesday, making it by 
far the most active virus of the day.

"It's definitely spreading very quickly, just an incredible ramp-up so far 
this morning," said Brian Czarny, marketing director at MessageLabs. The 
variant is likely to be one of the more successful versions of a very 
successful virus strain, he said.

The previous Sobig.A and Sobig.B variants are both on MessageLabs' list of 
the biggest 10 e-mail viruses of all time.

The e-mail message that carries Sobig.F has the subject line "Re: Details" 
and the message "Please see attached file for details." If a recipient 
clicks on the attachment, which can have multiple names ending in the .pif 
file extension, the computer will be infected.

The virus will then send itself out to names found in the victim's address 
book and will use one of these names to forge a return address. As such, the 
infected party may not quickly learn of the infection, while an innocent 
party may get the blame for helping to propagate it.



Hubert d'Aiguës-Mortes
Qui fait plus, mieux vaux




>From: "Chiara" <chiara at io.com>
>Reply-To: chiara at io.com,   "Barony of Steppes - SCA,Inc." 
><steppes at ansteorra.org>
>To: <steppes at ansteorra.org>
>Subject: Re: [Steppes] Virus making the rounds
>Date: Wed, 20 Aug 2003 11:17:29 -0500 (CDT)
>MIME-Version: 1.0
>Received: from mc4-f31.law16.hotmail.com ([65.54.237.166]) by 
>mc4-s3.law16.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Wed, 20 Aug 
>2003 10:11:27 -0700
>Received: from blackstar.ansteorra.org ([216.62.214.29]) by 
>mc4-f31.law16.hotmail.com with Microsoft SMTPSVC(5.0.2195.5600); Wed, 20 
>Aug 2003 10:09:37 -0700
>Received: from blackstar.ansteorra.org (localhost.localdomain 
>[127.0.0.1])by blackstar.ansteorra.org (8.11.6/8.11.6) with ESMTP id 
>h7KH8ua01066;Wed, 20 Aug 2003 12:08:56 -0500
>Received: from hiram.io.com (hiram.io.com [199.170.88.27])by 
>blackstar.ansteorra.org (8.11.6/8.11.6) with ESMTP id h7KGGTa31896for 
><steppes at ansteorra.org>; Wed, 20 Aug 2003 11:16:29 -0500
>Received: from 
>webmail.io.com(IDENT:P0vJchdyDwAqsUr2Gxhp64Wccn9zi6QX at columbia.io.com[199.170.88.107])by 
>hiram.io.com (8.11.2/8.11.2) with ESMTP id h7KGGDL27689for 
><steppes at ansteorra.org>; Wed, 20 Aug 2003 11:16:13 -0500
>Received: from io.com (webmail [127.0.0.1])by webmail.io.com 
>(8.12.8/8.12.8) with SMTP id h7KGHTTj029252for <steppes at ansteorra.org>; 
>Wed, 20 Aug 2003 11:17:29 -0500
>Received: from 199.50.29.42 (SquirrelMail authenticated user ches)by 
>webmail.io.com with HTTP; Wed, 20 Aug 2003 11:17:29 -0500 (CDT)
>X-Message-Info: MxAodtZPLiQ6HPHOc8rBiV8e6TqWwlBgkcE8BFfTC+8=
>Message-ID: <36535.199.50.29.42.1061396249.squirrel at webmail.io.com>
>In-Reply-To: <002501c36728$78cd9e80$28768d42 at prodigy.net>
>References: <002501c36728$78cd9e80$28768d42 at prodigy.net>
>X-Priority: 3
>Importance: Normal
>X-Mailer: SquirrelMail (version 1.2.11)
>X-Mailman-Approved-At: Wed, 20 Aug 2003 12:08:54 -0500
>X-BeenThere: steppes at ansteorra.org
>X-Mailman-Version: 2.1.2
>Precedence: list
>List-Id: Barony of Steppes - SCA, Inc.  <steppes.ansteorra.org>
>List-Help: <mailto:steppes-request at ansteorra.org?subject=help>
>List-Post: <mailto:steppes at ansteorra.org>
>List-Subscribe: 
><http://www.ansteorra.org/mailman/listinfo/steppes>,<mailto:steppes-request at ansteorra.org?subject=subscribe>
>List-Archive: <http://www.ansteorra.org/pipermail/steppes>
>List-Unsubscribe: 
><http://www.ansteorra.org/mailman/listinfo/steppes>,<mailto:steppes-request at ansteorra.org?subject=unsubscribe>
>Sender: steppes-bounces at ansteorra.org
>Errors-To: steppes-bounces at ansteorra.org
>Return-Path: steppes-bounces at ansteorra.org
>X-OriginalArrivalTime: 20 Aug 2003 17:09:40.0241 (UTC) 
>FILETIME=[D77C2810:01C3673D]
>
>Actually, the flavor of this one is rather bad. It is a spoofer. It
>started two nights ago and is still going strong. It is originating in
>China and it is spoofing specific ISP's. Unfortunately mine is one of
>them.
>
>It does not mean that I am infected or that my ISP is infected. It means
>that they have taken the ending of many internet companies and attached it
>to mail addresses and sent the thing out. AOL and ansteorra.org are also
>being abused in this manner. Again, we are not infected, just being
>abused.
>
>However it does not hurt to be covered and covered we are. :)
>
>Chiara
>
>
>_______________________________________________
>Steppes mailing list
>Steppes at ansteorra.org
>http://www.ansteorra.org/mailman/listinfo/steppes

_________________________________________________________________
<b>Get MSN 8</b> and help protect your children with advanced parental 
controls.  http://join.msn.com/?page=features/parental

More information about the Steppes mailing list