Brace yourselves.. W32/Sobig-F about to mutate...

Valdis_Kletnieks · August 22, 2003, 6:07pm

A quick heads up, if anybody hasn't heard:

At 1900GMT today, ET phones home, and picks up the next payload of
instructions. Nobody knows (yet) what they'll be, but SoBig-E erased itself,
put in a password grabber, and then installed a mail proxy for spammer use.

This one *may* just play the theme song from Bozo the Clown and erase itself,
but I severely doubt it's gonna be that nice.

http://www.f-secure.com/news/items/news_2003082200.shtml

Stephen_J_Wilcox1 · August 22, 2003, 6:14pm

"On this moment, the worm starts to connect to machines found from an encrypted
list hidden in the virus body. The list contains the address of 20 computers
located in USA, Canada and South Korea."

erm so why dont we just block (preferably bgp null route) these sites?

Scott_Weeks1 · August 22, 2003, 6:15pm

If we can post here as soon as these mystery machines and\or ports are
known we can all throw up ACLs, but if the wormwriters learned from "How
to Own the Internet in Your Spare Time", by the time we throw up ACLs,
it's probably already too late.

scott

James_Smallacombe · August 22, 2003, 6:16pm

Just started getting it here...it came from a local Comcast cable user,
and so overwhelmed the mail server, that SpamAssassin and qmail-scanner
stopped scanning it. I had to nullroute that IP to stop it...

it looks like this:

Return-Path: <admin@duma.gov.ru>
Delivered-To: james@pil.net
Received: (qmail 77869 invoked from network); 22 Aug 2003 17:39:16 -0000
Received: from unknown (HELO localhost) (68.32.237.213)
by richard2.pil.net with SMTP; 22 Aug 2003 17:39:16 -0000

Todd_Mitchell · August 22, 2003, 6:21pm

Stephen J. Wilcox
Sent: Friday, August 22, 2003 2:15 PM
To: Valdis.Kletnieks@vt.edu
Cc: nanog@merit.edu
Subject: Re: Brace yourselves.. W32/Sobig-F about to mutate...

> A quick heads up, if anybody hasn't heard:
>
> At 1900GMT today, ET phones home, and picks up the next payload of
> instructions. Nobody knows (yet) what they'll be, but SoBig-E

erased

itself,
> put in a password grabber, and then installed a mail proxy for

spammer

use.

"On this moment, the worm starts to connect to machines found from an
encrypted
list hidden in the virus body. The list contains the address of 20
computers
located in USA, Canada and South Korea."

erm so why dont we just block (preferably bgp null route) these sites?

I believe that InterNAP has already implemented this in all of their
PNAP's.

Todd

Adam_Maloney1 · August 22, 2003, 7:02pm

The security@microsoft.com address may fool them, but I would be very
suspicious of a Microsoft patch that was only 9.6KB

Parts/Attachments:
   1 Shown 3 lines Text
   2 9.6 KB Application
   3 Shown 0 lines Text
----------------------------------------

Adam Maloney
Systems Administrator
Sihope Communications