Mass E-mail Spam??
Senior Member
Joined: Jan 2000
Posts: 2,357
Likes: 0
From: Ventura, CA, USA
Old Virus Has a New Trick: Mailing Itself in Quantity
By JOHN SCHWARTZ
If the e-mail message offers "details," "That movie" or "Wicked screensaver," don't open the attachment. (And why are you still opening unsolicited attachments, anyway? Don't you ever learn?)
One of the most common rogue computer programs on the Internet made a virulent reappearance yesterday. The virus, known by security companies as SoBig.F, spread rapidly by e-mail messages across computer networks.
MessageLabs, an e-mail security company that described the virus in an alert yesterday, said it was "spreading very vigorously." Other virus experts were more blunt.
"It's shooting off like a rocket," said Ken Dunham, malicious code intelligence manager for iDefense Inc. in Reston, Va. The flood of e-mail does not necessarily mean that especially large numbers of machines are infected, he said. This bug is simply more efficient than previous programs at sending itself around. The mail program that the virus uses is "multithreaded," which allows it to send out many copies at once.
But the creator of the program appears to have gone a step further, Mr. Dunham said, using computers that were taken over by previous versions of the SoBig virus to mass-mail copies of the program, as spammers do.
Like many other mass-mailing viruses, SoBig comes with its own mail program that trolls through the victim's address book, stored Web pages and other files, picking up e-mail addresses. It then sends itself to every address it finds, and often disguises the sender's true identity by substituting an address from the victim's machine. Once the program has infected a machine, it will download a Trojan horse program that could allow an attacker to take over the target PC.
The new SoBig comes during a busy time in the malicious software world. Computer users have had to deal with onslaughts from several new programs lately, including the Blaster worm and another called Nachi or Welchia, which has been marauding through corporate computer networks. Like most rogue programs, this latest virus affects computers running versions of Microsoft operating systems.
With SoBig, many computer users whose machines become infected often bring the problem upon themselves by trying to open the attachment that comes with the e-mail message. It might be called "your details," "thankyou" or other names, but almost always ends in the file extension ".pif" or ".scr."
Infection can be prevented by deleting suspect e-mail messages without clicking on the attachments, virus experts said yesterday, but "once somebody lets that one part in, it will quite happily propagate itself" throughout a network, said Vincent Weafer, senior director of Symantec Security Response. The program is blocked by recent versions of most antivirus programs.
Like other variants of SoBig, the program was written to stop spreading on a certain date, in this case Sept. 10. Computer virus experts suggest that the program's creator is releasing each version for a limited time in a process of testing, tinkering and improvement.
By JOHN SCHWARTZ
If the e-mail message offers "details," "That movie" or "Wicked screensaver," don't open the attachment. (And why are you still opening unsolicited attachments, anyway? Don't you ever learn?)
One of the most common rogue computer programs on the Internet made a virulent reappearance yesterday. The virus, known by security companies as SoBig.F, spread rapidly by e-mail messages across computer networks.
MessageLabs, an e-mail security company that described the virus in an alert yesterday, said it was "spreading very vigorously." Other virus experts were more blunt.
"It's shooting off like a rocket," said Ken Dunham, malicious code intelligence manager for iDefense Inc. in Reston, Va. The flood of e-mail does not necessarily mean that especially large numbers of machines are infected, he said. This bug is simply more efficient than previous programs at sending itself around. The mail program that the virus uses is "multithreaded," which allows it to send out many copies at once.
But the creator of the program appears to have gone a step further, Mr. Dunham said, using computers that were taken over by previous versions of the SoBig virus to mass-mail copies of the program, as spammers do.
Like many other mass-mailing viruses, SoBig comes with its own mail program that trolls through the victim's address book, stored Web pages and other files, picking up e-mail addresses. It then sends itself to every address it finds, and often disguises the sender's true identity by substituting an address from the victim's machine. Once the program has infected a machine, it will download a Trojan horse program that could allow an attacker to take over the target PC.
The new SoBig comes during a busy time in the malicious software world. Computer users have had to deal with onslaughts from several new programs lately, including the Blaster worm and another called Nachi or Welchia, which has been marauding through corporate computer networks. Like most rogue programs, this latest virus affects computers running versions of Microsoft operating systems.
With SoBig, many computer users whose machines become infected often bring the problem upon themselves by trying to open the attachment that comes with the e-mail message. It might be called "your details," "thankyou" or other names, but almost always ends in the file extension ".pif" or ".scr."
Infection can be prevented by deleting suspect e-mail messages without clicking on the attachments, virus experts said yesterday, but "once somebody lets that one part in, it will quite happily propagate itself" throughout a network, said Vincent Weafer, senior director of Symantec Security Response. The program is blocked by recent versions of most antivirus programs.
Like other variants of SoBig, the program was written to stop spreading on a certain date, in this case Sept. 10. Computer virus experts suggest that the program's creator is releasing each version for a limited time in a process of testing, tinkering and improvement.
Last edited by alphadoggy; Aug 20, 2003 at 05:01 PM.
Senior Member
Joined: Nov 2001
Posts: 6,166
Likes: 0
From: Burlington, Ma
Help
I nead help
I ran the Sobig, Welchia, Blaster worm removal tools.
I also ran the virus scan from symatec, and it shows no viruses.
I don't know what to do I am still getting tons of spam e-mails. I sent a trouble ticket to norton and all i have gooten so far is a automatic responce saying they will get back to me in 3-4 buisness days.
Anyone have any advice. I have no idea what to do.
I never open up any attachments from people I don't know.
I nead help
I ran the Sobig, Welchia, Blaster worm removal tools.
I also ran the virus scan from symatec, and it shows no viruses.
I don't know what to do I am still getting tons of spam e-mails. I sent a trouble ticket to norton and all i have gooten so far is a automatic responce saying they will get back to me in 3-4 buisness days.
Anyone have any advice. I have no idea what to do.
I never open up any attachments from people I don't know.
Senior Member
Joined: Feb 2002
Posts: 4,922
Likes: 1
From: Lexington, KY
Don,
You're getting the output from other infected machines. Your machine is probably fine. If your email address is posted
or referenced by someone that Emailed you and then became
infected it passed that on to the other machiens IT infected.
See the problem???? We got 275,000 today ... Whew This
is KILLING the internet too.
Cliff
PS.... Norton should isolate the file if you have MailSafe enabled.
That may be why Sal's never have a file attached.....
You're getting the output from other infected machines. Your machine is probably fine. If your email address is posted
or referenced by someone that Emailed you and then became
infected it passed that on to the other machiens IT infected.
See the problem???? We got 275,000 today ... Whew This
is KILLING the internet too.
Cliff
PS.... Norton should isolate the file if you have MailSafe enabled.
That may be why Sal's never have a file attached.....
Last edited by SVT_KY; Aug 22, 2003 at 10:06 PM.
Senior Member
Joined: Feb 2001
Posts: 512
Likes: 0
From: Bel Air, MD
It's not that you infected your machine. It's just that someone else who views these boards is infected. When your machine gets the SoBig virus (as well as many others, many work the same way), it'll scan the entire hard drive for all email/HTML files. It then opens them up and parses out all the email addresses it can find. It then sends out a copy of the virus to all those email addresses. So, the fact that you're receiving the emails doesn't mean that you're infected, it's just that your email address was posted somewhere, and the infected person just happened to have visited the page that had your email address. And, the FROM address on the emails are spoofed also, taken from the same sources. So, when the infected person sends out his copies of the virus, the emails may say that they came from your address, when they actually did not.
All in all, nothing you can do but just delete the messages. Don't reply back to tell the person to clean their machine, because the From address is not the person who's really infected.
In the future, I wouldn't put your real email address out. If you post it somewhere, put it like: donsboltREMOVETHIS@REMOVETHISaol.com, just an example. So, people who email you will take out the "REMOVETHIS" sections, but a virus program won't, so the emails will never get to you.
Oh, and people should stop running Outlook
I use The Bat!, personally. Never gets any email viruses.
All in all, nothing you can do but just delete the messages. Don't reply back to tell the person to clean their machine, because the From address is not the person who's really infected.
In the future, I wouldn't put your real email address out. If you post it somewhere, put it like: donsboltREMOVETHIS@REMOVETHISaol.com, just an example. So, people who email you will take out the "REMOVETHIS" sections, but a virus program won't, so the emails will never get to you.
Oh, and people should stop running Outlook
I use The Bat!, personally. Never gets any email viruses.
Senior Member
Joined: Oct 2001
Posts: 978
Likes: 0
From: Windsor, Ontario, Canada
Senior Member
Joined: Nov 2001
Posts: 6,166
Likes: 0
From: Burlington, Ma
Thanks I feel a little bette, but this virus still sucks
I have gotten about 70 e-mails ince I last posted, they all sat see attatced files for details, but there is never a attachment, so I must be safe.
And yes i allready did the Microsoft patch.
I have gotten about 70 e-mails ince I last posted, they all sat see attatced files for details, but there is never a attachment, so I must be safe.
And yes i allready did the Microsoft patch.
Senior Member
Joined: Jul 2001
Posts: 789
Likes: 1
From: Marietta, GA
I read this post a few days ago and didn't really give it a second though. Checked my email this morning, no problems.
Checked it tonite. 140 some emails, 22 bulk. (Yes, that's a redlight. They are all "Re: " (and after "Re:" it's clearly just like 4 different phrases) and all had attachments)
I got them from magnaflow, centerline wheels, bank websites (none of those I'm sure I've visited), LFP, PSP, JDM, and oddly enough Spiro99SVT. Not like it has caused a problem. I use my email for, well, sadly, just truck parts and information transactions. And I don't download any of that crap. I deleted it all, but I'm sure I'll get more.
So, uh, past deleting them (I haven't bothered to open any of them up) there probabley isn't much to do, is there?
Checked it tonite. 140 some emails, 22 bulk. (Yes, that's a redlight. They are all "Re: " (and after "Re:" it's clearly just like 4 different phrases) and all had attachments)
I got them from magnaflow, centerline wheels, bank websites (none of those I'm sure I've visited), LFP, PSP, JDM, and oddly enough Spiro99SVT. Not like it has caused a problem. I use my email for, well, sadly, just truck parts and information transactions. And I don't download any of that crap. I deleted it all, but I'm sure I'll get more.
So, uh, past deleting them (I haven't bothered to open any of them up) there probabley isn't much to do, is there?
Senior Member
Joined: Jan 2000
Posts: 2,357
Likes: 0
From: Ventura, CA, USA
Tapes From the Help Desk
By JOHN KENNEY
"If the e-mail message offers `details,' `That movie' or `Wicked screensaver,' don't open the attachment."
— The New York Times, Aug. 20, 2003, on the virus that spread across computer networks this week.
9:38 a.m.
Hi. Umm, hi. Yeah. This is Ingrid, from cost accounting. Well, my computer is . . . it's on fire. I opened this file, this, thing because I'm in cost accounting, which I think I said, and I need details. I'm detail-oriented. Did I say oriented or orientated? I'm sorry. I also opened the "That movie" one, too, because I like movies a lot. I live alone. Well, with Sashi, my cat. I watch movies. And I like screensavers, too. I'm really sorry. My computer is burning and . . . could someone call me, please? Also, do we still have to do our time sheets today?
10:02 a.m.
Hey. How ya doin'. Dan, in sales. Got a question. I heard about this virus thing and I was using the computer yesterday and today I have a sore throat. Should I be worried?
10:14 a.m.
Hello. This is Chip, the intern, I'm an intern, a summer intern. I work in municipal finance but that's just for the summer. I really want to get into asset management, I think that would be awesome, anyway. Like, I was wondering if like there was another blackout or a partial blackout or something because I swear I didn't touch anything only it's just, like, I saw "Wicked screensaver" and I thought, cool, so. Umm. . . . My parents are going to kill me.
10:42 a.m.
Yes, hello. Why do I have e-mail receipts from 956 students at the University of Wisconsin? This is Vivian in Mr. Hayden's office and I'd just like to make clear that at no time did I send an e-mail to the Pan-Hellenic Society at the University of Wisconsin about a toga party this Saturday night. My husband and I don't even live in Wisconsin, for heaven's sake, not to mention that we have plans for Saturday night with the Martinson's.
11:01 a.m.
This is Jim from the Detailed Movie Screensaver Department. We, umm, we got a huge problem down here.
11:17 a.m.
Hello. This is . . . excuse me. I'm on with them now — (loud crash) — Umm, I'm sorry . . . April, yes Chuck's . . . Chuck Smeterling's assistant. As in Chuck the president of the company. If you could come down here when you get a moment. . . . We're having a little trouble with the computer. No, that window does not open, Mr. Smeterl—
11:29 a.m.
Hi. Hi there. I hope you guys in tech support, who, frankly, I don't think get enough credit for all the good work you do, are having a good day. I just have a quick question about why my screen's black and playing "Sweet Child of Mine" over and over. My name's Herb Lugnutt, in H.R., but I'm no relation whatsoever to the Herb Lugnutt who sent that company-wide message about how the Help Desk is a bunch of slackers. No relation at all. And I thought his e-mail was really out of line.
1:45 p.m.
Hey. Hi there. It's Chuck, as in the president of the company. I opened this e-mail entitled "Thank you!" I like to be thanked. I'm not thanked enough, actually. Especially by you tech guys. With your long hair, out on your smoke breaks, laughing at your software jokes, wearing your stupid Black Sabbath T-shirts. See, my computer, it's broken. It's making these noises . . . and frozen on the screen is . . . is a picture of my head somehow pasted onto a little girl in a party dress. Now if someone doesn't get up here soon . . . .
3:00 p.m.
Ted. It's Jack. From the Help Desk. I sit next to you. Ya know how today is my last day? Well I just sent you this wicked screensaver. Open it.
By JOHN KENNEY
"If the e-mail message offers `details,' `That movie' or `Wicked screensaver,' don't open the attachment."
— The New York Times, Aug. 20, 2003, on the virus that spread across computer networks this week.
9:38 a.m.
Hi. Umm, hi. Yeah. This is Ingrid, from cost accounting. Well, my computer is . . . it's on fire. I opened this file, this, thing because I'm in cost accounting, which I think I said, and I need details. I'm detail-oriented. Did I say oriented or orientated? I'm sorry. I also opened the "That movie" one, too, because I like movies a lot. I live alone. Well, with Sashi, my cat. I watch movies. And I like screensavers, too. I'm really sorry. My computer is burning and . . . could someone call me, please? Also, do we still have to do our time sheets today?
10:02 a.m.
Hey. How ya doin'. Dan, in sales. Got a question. I heard about this virus thing and I was using the computer yesterday and today I have a sore throat. Should I be worried?
10:14 a.m.
Hello. This is Chip, the intern, I'm an intern, a summer intern. I work in municipal finance but that's just for the summer. I really want to get into asset management, I think that would be awesome, anyway. Like, I was wondering if like there was another blackout or a partial blackout or something because I swear I didn't touch anything only it's just, like, I saw "Wicked screensaver" and I thought, cool, so. Umm. . . . My parents are going to kill me.
10:42 a.m.
Yes, hello. Why do I have e-mail receipts from 956 students at the University of Wisconsin? This is Vivian in Mr. Hayden's office and I'd just like to make clear that at no time did I send an e-mail to the Pan-Hellenic Society at the University of Wisconsin about a toga party this Saturday night. My husband and I don't even live in Wisconsin, for heaven's sake, not to mention that we have plans for Saturday night with the Martinson's.
11:01 a.m.
This is Jim from the Detailed Movie Screensaver Department. We, umm, we got a huge problem down here.
11:17 a.m.
Hello. This is . . . excuse me. I'm on with them now — (loud crash) — Umm, I'm sorry . . . April, yes Chuck's . . . Chuck Smeterling's assistant. As in Chuck the president of the company. If you could come down here when you get a moment. . . . We're having a little trouble with the computer. No, that window does not open, Mr. Smeterl—
11:29 a.m.
Hi. Hi there. I hope you guys in tech support, who, frankly, I don't think get enough credit for all the good work you do, are having a good day. I just have a quick question about why my screen's black and playing "Sweet Child of Mine" over and over. My name's Herb Lugnutt, in H.R., but I'm no relation whatsoever to the Herb Lugnutt who sent that company-wide message about how the Help Desk is a bunch of slackers. No relation at all. And I thought his e-mail was really out of line.
1:45 p.m.
Hey. Hi there. It's Chuck, as in the president of the company. I opened this e-mail entitled "Thank you!" I like to be thanked. I'm not thanked enough, actually. Especially by you tech guys. With your long hair, out on your smoke breaks, laughing at your software jokes, wearing your stupid Black Sabbath T-shirts. See, my computer, it's broken. It's making these noises . . . and frozen on the screen is . . . is a picture of my head somehow pasted onto a little girl in a party dress. Now if someone doesn't get up here soon . . . .
3:00 p.m.
Ted. It's Jack. From the Help Desk. I sit next to you. Ya know how today is my last day? Well I just sent you this wicked screensaver. Open it.
Senior Member
Joined: Mar 2001
Posts: 150
Likes: 0
From: Westminster, Md USA
I have been getting them also. Someone who has us on their address book hasd the sobig.f virus. It may be someone on this list as most of the spoofed from addresses are lightning or high perf card related.
! 
F150online
Founder
Founder
Joined: Nov 1996
Posts: 3,008
Likes: 0
From: Roswell, GA USA
They stopped at this end. Earthlink must have figured out how to block it. You might want to check with your ISP if they are still coming to see if there is anything they can do about it.