[60908] in North American Network Operators' Group
Re: Don't beat me, but i've noticed a huge influx of these .pif virii today.
daemon@ATHENA.MIT.EDU (Henry Linneweh)
Tue Aug 19 17:22:38 2003
Date: Tue, 19 Aug 2003 14:21:23 -0700 (PDT)
From: Henry Linneweh <hrlinneweh@sbcglobal.net>
To: "Jade E. Deane" <jade.deane@riven.net>,
Drew Weaver <drew.weaver@thenap.com>
Cc: "'nanog@merit.edu'" <nanog@merit.edu>
In-Reply-To: <1061324823.27254.14.camel@martini>
Errors-To: owner-nanog-outgoing@merit.edu
--0-2094655529-1061328083=:18830
Content-Type: text/plain; charset=us-ascii
Now having personally experienced the worm myself.....
This is how it went, there was no known way to remove the worm with
any current software for the variety that I had, it was mutagenic, recognized
AVP, and other forms of disinfectors and went nuts propagating itself to the
point the only solution left was Low level format...format and reinstall
At that point we were not sure if the media itself was not damaged and
held our breath for a while, thankfully it was not and now my box is back
up and running -minus the data that was not recoverable.
If anyone is having their techs do this, be nice to them and be kind
because it takes about 6 hours plus to do each box completely
-Henry
"Jade E. Deane" <jade.deane@riven.net> wrote:
Drew,
You're not seeing things. I would say you can thank "W32/Sobig.F-mm",
referenced in http://news.com.com/2100-1002_3-5065494.html.
Allow me to quote a bit from the story:
[quote]
The sender appears to be someone from a recognized domain name, such as
ibm.com, zdnet.com or microsoft.com. The subject line typically says
"Re: Details," "Resume" or "Thank you."
Attachment names may include: your_document.pif, details.pif,
your_details.pif, thank_you.pif, movie0045.pif, document_Fall.pif,
application.pif, and document_9446.pif.
[/quote]
Regards,
Jade
On Tue, 2003-08-19 at 15:33, Drew Weaver wrote:
> Don't kill me for posting this, it may be slightly off
> topic but I have noticed a very odd spike in traffic with these virii
> that have .pifs attached to them.
>
>
>
> The subject is random.
>
>
>
> The body always says:
>
>
>
> "See attached file for details" and they're always a pif file.
>
>
>
> Anyone else notice this?
>
>
>
> -Drew
>
>
> ATTACHMENT part 2 application/pgp-signature name=signature.asc
--0-2094655529-1061328083=:18830
Content-Type: text/html; charset=us-ascii
<DIV>Now having personally experienced the worm myself.....</DIV>
<DIV>This is how it went, there was no known way to remove the worm with</DIV>
<DIV>any current software for the variety that I had, it was mutagenic, recognized</DIV>
<DIV>AVP, and other forms of disinfectors and went nuts propagating itself to the</DIV>
<DIV>point the only solution left was Low level format...format and reinstall</DIV>
<DIV> </DIV>
<DIV>At that point we were not sure if the media itself was not damaged and</DIV>
<DIV>held our breath for a while, thankfully it was not and now my box is back</DIV>
<DIV>up and running -minus the data that was not recoverable.</DIV>
<DIV> </DIV>
<DIV>If anyone is having their techs do this, be nice to them and be kind </DIV>
<DIV>because it takes about 6 hours plus to do each box completely</DIV>
<DIV> </DIV>
<DIV>-Henry<BR><BR><B><I>"Jade E. Deane" <jade.deane@riven.net></I></B> wrote:</DIV>
<DIV>
<BLOCKQUOTE style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #1010ff 2px solid; WIDTH: 100%">Drew,<BR>You're not seeing things. I would say you can thank "W32/Sobig.F-mm",<BR>referenced in http://news.com.com/2100-1002_3-5065494.html.<BR><BR>Allow me to quote a bit from the story:<BR><BR>[quote]<BR>The sender appears to be someone from a recognized domain name, such as<BR>ibm.com, zdnet.com or microsoft.com. The subject line typically says<BR>"Re: Details," "Resume" or "Thank you." <BR><BR>Attachment names may include: your_document.pif, details.pif,<BR>your_details.pif, thank_you.pif, movie0045.pif, document_Fall.pif,<BR>application.pif, and document_9446.pif. <BR>[/quote]<BR><BR>Regards,<BR>Jade<BR><BR>On Tue, 2003-08-19 at 15:33, Drew Weaver wrote:<BR>> Don't kill me for posting this, it may be slightly off<BR>> topic but I have noticed a very odd spike in traffic with these virii<BR>> that have .pifs attached to them. <BR>> <BR>> <BR>> <BR>> The
subject is random.<BR>> <BR>> <BR>> <BR>> The body always says:<BR>> <BR>> <BR>> <BR>> "See attached file for details" and they're always a pif file.<BR>> <BR>> <BR>> <BR>> Anyone else notice this?<BR>> <BR>> <BR>> <BR>> -Drew<BR>> <BR>> <BR><BR><BR>> ATTACHMENT part 2 application/pgp-signature name=signature.asc<BR></BLOCKQUOTE></DIV>
--0-2094655529-1061328083=:18830--
