[61085] in North American Network Operators' Group
Re: Brace yourselves.. W32/Sobig-F about to mutate...
daemon@ATHENA.MIT.EDU (up@3.am)
Fri Aug 22 14:26:53 2003
Date: Fri, 22 Aug 2003 14:16:32 -0400 (EDT)
From: up@3.am
To: Valdis.Kletnieks@vt.edu
Cc: nanog@merit.edu
In-Reply-To: <200308221807.h7MI78sn018727@turing-police.cc.vt.edu>
Errors-To: owner-nanog-outgoing@merit.edu
Just started getting it here...it came from a local Comcast cable user,
and so overwhelmed the mail server, that SpamAssassin and qmail-scanner
stopped scanning it. I had to nullroute that IP to stop it...
it looks like this:
Return-Path: <admin@duma.gov.ru>
Delivered-To: james@pil.net
Received: (qmail 77869 invoked from network); 22 Aug 2003 17:39:16 -0000
Received: from unknown (HELO localhost) (68.32.237.213)
by richard2.pil.net with SMTP; 22 Aug 2003 17:39:16 -0000
From: "Microsoft" <security@microsoft.com>
To: <james@pil.net>
Subject: Use this patch immediately !
MIME-Version: 1.0
Content-Type: multipart/mixed;boundary="xxxx"
Parts/Attachments:
1 Shown 3 lines Text
2 9.6 KB Application
3 Shown 0 lines Text
----------------------------------------
Dear friend , use this Internet Explorer patch now!
There are dangerous virus in the Internet now!
More than 500.000 already infected!
On Fri, 22 Aug 2003 Valdis.Kletnieks@vt.edu wrote:
> A quick heads up, if anybody hasn't heard:
>
> At 1900GMT today, ET phones home, and picks up the next payload of
> instructions. Nobody knows (yet) what they'll be, but SoBig-E erased itself,
> put in a password grabber, and then installed a mail proxy for spammer use.
>
> This one *may* just play the theme song from Bozo the Clown and erase itself,
> but I severely doubt it's gonna be that nice.
>
> http://www.f-secure.com/news/items/news_2003082200.shtml
>
>
James Smallacombe PlantageNet, Inc. CEO and Janitor
up@3.am http://3.am
=========================================================================
