[60920] in North American Network Operators' Group
Re: Don't beat me, but i've noticed a huge influx of these .pif virii today.
daemon@ATHENA.MIT.EDU (Steven M. Bellovin)
Tue Aug 19 19:15:16 2003
To: Drew Weaver <drew.weaver@thenap.com>
Cc: "'nanog@merit.edu'" <nanog@merit.edu>
Date: Tue, 19 Aug 2003 19:12:22 -0400
From: "Steven M. Bellovin" <smb@research.att.com>
Errors-To: owner-nanog-outgoing@merit.edu
In message <75634F04BFCFD511BF69009027DC86495C63B5@mailman.thenap.com>, Drew We
aver writes:
> Don't kill me for posting this, it may be slightly off topic but
>I have noticed a very odd spike in traffic with these virii that have .pifs
>attached to them.
>
>The subject is random.
>
>The body always says:
>
>"See attached file for details" and they're always a pif file.
>
>Anyone else notice this?
Please don't post in html.
Anyway -- it's the sobig.f virus. According to
http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html
it scans a variety of file types on the infected machine to find email
addresses to abuse.
It's not always a .pif file; sometimes, it's a .scr file.
--Steve Bellovin, http://www.research.att.com/~smb
