Sobig and Blaster Worms Killing Me!

**Cyberious** · 09-07-2003, 03:44 PM

Don't know who configures your mail servers but you may try having them block or strip any mail with the following attachments (*.htm, *.vbs, *.pif, *.scr, *.exe, *.com, *.bat) That would stop about 95% of the email bourne viruses from even reaching your inbox. You should also be able to put a rule in outlook or other types of email clients that will block or just trash can those. Depends on what you use though. As far as Blaster (and variants) you're right everybody should be patching their systems. If I can assist PM me (I'm a computer virus researcher in real life)

Cyberious

**AGD-OfficeGal** · 09-07-2003, 04:49 PM

The attachments are being stripped but I am getting the emails they were attached to - and I can't assume, for example, that an email with a message of "thanks" is a worm.

Also, my address is being spoofed as a sender's address somewhere so I am getting a ton of bounces from mail I never sent, and I have to check every undeliverable message to see whether it is legit or not.

M

**Webmaster** · 09-07-2003, 05:39 PM

I have about 500 and counting emails thanks to sobig and AO users - hehe... I still get 3-20 a day from Klez emails.

**dinger** · 09-07-2003, 08:36 PM

i check my yahoo email when i feel like it.. which is VERY rare. and its usually got 1400 messages in it taking up 7mb of space hahaha

**Muzikman** · 09-08-2003, 08:12 AM

The problem with the SoBig virus is that what you are getting is probablyh not the actual virus. You are affected by the virus but not infected. This is another one of those viruses that sends emails to people in your address book to propagate the virus. The interesting this about this one that not many had before it is it's own SMTP server. This means it picks a name out of the address book, and sends email to other people in the address book as this person. That way when an infected email is caught by a mail servers virus scan it thinks it's being sent by person B when infact it's being sent by person A. It then sends a rejection notice to person B saying that the email had a virus and can not be sent.

This is why most of the emails you get back are from people you did not send an email to, don't know and your PC may have been powered off at the time it said the email was sent.

The company I work for got hit with this and there is not much we can do as we don't actually have a virus, but or users keep getting rejected emails saying they do.

**Load SM5** · 09-08-2003, 08:59 AM

I just got a notice last night saying that an e-mail that I did'nt send was labeled unsendable as it was infected with a virus. So you're saying that I don't have or do have this thing? I've never gotten a suspicious e-mail nor have any virus scans that I've run to specifically look for these viruses turned up anything.

**cphilip** · 09-08-2003, 09:00 AM

Yea... same sort of thing I got going on here. Many undeliverable that I didn't send and such and so forth. Even people then emailing me that I sent them emails. Which I know is not the case. I know I am clean here. But someone out there (many) have my email address in their box and its in their computer and this Virus is getting my email from thier computer using my email addy to send this on. And many others peoples as well. Its rarely the one it says the email is from that has the virus.

So...If you get one from me... it's prolly not me unless it's realy me... um... er...

**cphilip** · 09-08-2003, 09:03 AM

Its not you Load. It is someone has your email in their address book. But they not even aware that its in there and its sending out emails as you. Thats the problem. The person who has it may not even be aware he does.

**Evil Bob** · 09-08-2003, 11:55 AM

Actually, the MSBlaster and related variants replicate themselves on port 135-139 at the netbios level, your system can get infected without having opened a single email. These latest strains use the network socket level and security flaws in the windows OS to propagate themselves, you could have it and not even know it.

Do yourself a favor and goto McAffee's "stinger" site and read through the method to remove remove the virus. Stinger is a small free download, it's only 700k so it's 56k modem friendly: http://vil.nai.com/vil/stinger/

-Evil Bob

**Muzikman** · 09-08-2003, 12:33 PM

Evil: You are correct, but the SoBig is not a varient of Blaster. Marcia seem to be complaining about all the emails more than her PC rebooting, so I figured I would give the best explaination I can on the SoBig virus. It's also the more distructive on a single computer, because unlike MSBlaster or Nachi it's not just as simple as installing a patch to fix.

**Paintchucker** · 09-08-2003, 12:33 PM

Ends on the 10th...

Luckily, the SoBigF Virus has an expiration date built into it. It should all stop on Wednesday Sept.10th...

I run our company's email filter system. It crashed one of our servers from the volume. We are getting 125,000+ SoBigF virus related messages a day. This is more than our normal 75,000 email/day volume. It is a nasty one...

**Muzikman** · 09-08-2003, 12:39 PM

That's good to know. I don't manage the Notes servers here, but I do manage over 30 networks with at least one server each across the world, so I have been protecting against the MSBlaster and Nachi over the past few weeks. Though the systems supported out of Pittsburgh were not infected, our counterparts in Canada got hit REAL hard to the point where it started to affect users ability to work because their data was on a Canadian server. I have also been annoyed by the LoveGate virus which is easy to clean, but just really annoying...

**cphilip** · 09-08-2003, 12:50 PM

Originally posted by Evil Bob
....you could have it and not even know it.

You cant have it if you not using a Windows machine! ;-)

**FutureMagOwner** · 09-08-2003, 01:15 PM

im just curious whats the point of these kinda viruses do they do any accual damage or steal information or just to massively annoy people and crash email servers?

Sobig and Blaster Worms Killing Me!

Sobig and Blaster Worms Killing Me!

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment