Danny Wareham
December 5th 03, 08:17 PM
It is estimated that 60% of the worlds computers are not protected and this
creates headaches for everyone. Those 60% can be used to tie up the
internet, even be involved in cyber-crimes and their owners won't even know.
$$$$$$
How to Stop Sobig.F
Tips and links to help you stop the Sobig variant from infecting your PC.
By Tim Moynihan
The Sobig.F worm is a variant of June's Sobig.A worm. The worm is also known
as I-Worm.Sobig.f, W32/Sobig.F-mm, W32/Sobig.f@MM, and WORM_SOBIG.F.
Sobig.F only affects Windows systems, and it has been spreading rapidly
since earlier this week. Machines running Windows 2000, Windows 95, Windows
98, Windows Me, Windows NT, and Windows XP are all susceptible to the worm.
Remove Sobig.F from your system
Symantec has released a free Sobig.F removal tool for infected systems. If
you think your Windows PC has been infected, download and run Symantec's
removal tool.
On an infected system, the worm scans various documents for email addresses.
The worm then distributes itself to other inboxes using a built-in SMTP
engine. When it distributes itself, it "spoofs" in the "From:" field an
email address it finds on the infected machine instead of using the infected
user's address. Because the address doesn't match that of the infected
machine, it's difficult to trace the string of infected computers.
The worm also has a built-in shutoff date. It'll stop working on September
10, 2003.
Learn more about how the Sobig.F worm operates in these articles and
security alerts.
Sophos' Sobig.F Virus Analysis
Sobig.F Joins Blaster Attack on Windows (The Register)
Auto-Responders Magnify Sobig Problem (The Register)
Sobig.F Is 'Worst Variant Yet' (ZDNet)
How to protect yourself
Delete any email with the following subject lines, even if they're sent from
a familiar name.
Thank you!
Your details
Re: Details
Re: Approved
Re: Re: My details
Re: Thank you!
Re: That movie
Re: Wicked screensaver
Re: Your application
Don't open any email attachments, especially those with the following names.
your_document.pif
document_all.pif
thank_you.pif
your_details.pif
details.pif
document_9446.pif
application.pif
wicked_scr.scr
movie0045.pif
What about Blaster?
If you're looking for information about the still-dangerous Blaster worm,
read these articles.
Blast the Blaster Worm
Beating Blaster Now, some great advice from Tech Live
Originally posted August 20, 2003
Copyright © 2003 TechTV Inc. All rights reserved.
Use of Techtv.com is subject to certain terms and conditions. We respect
your privacy.
$$$$$$
8/18/2003
_____________________________
In this issue:
1. Level 4 Virus Alert! W32.Welchia.Worm
2. Level 3 Virus Alert! W32.Dumaru@mm
3. Feedback
4. Subscribing and unsubscribing
5. Disclaimer
_____________________________
NOTE: This is an outgoing email address. Do not reply to this email
message. If you require assistance with installing, configuring, or
troubleshooting a Symantec product, or if you have a question for Customer
Service, then visit the Symantec Service & Support Web site at the
following Internet address:
http://www.symantec.com/techsupp/
To view this and prior News Bulletins in HTML format, visit the following
Internet address:
http://www.symantec.com/techsupp/vURL.cgi/navarc
_____________________________
1. Level 4 Virus Alert! W32.Welchia.Worm
Due to an increase in submissions, Symantec Security Response has upgraded
W32.Welchia.Worm to Category 4, as of 6:00pm Monday, August 18, 2003.
The worm attempts to download the DCOM RPC patch from Microsoft's Windows
Update Web site, install it, and then reboot the computer. The worm checks
for active machines to infect by sending an ICMP echo, or PING, which will
results in increased ICMP traffic.
The worm will also attempt to remove W32.Blaster.Worm.
Definitions dated August 18, 2003 will detect the W32.Welchia.Worm. Run
LiveUpdate or download the Intelligent Updater virus definitions at
http://securityresponse.symantec.com/avcenter/defs.download.html
Also Known As: W32/Welchia.worm10240 [AhnLab], W32/Nachi.worm [McAfee],
WORM_MSBLAST.D [Trend], Lovsan.D [F-Secure]
Type: Worm
Infection Length: 10,240 bytes
Systems Affected: Windows 2000, Windows XP
Systems Not Affected: Linux, Macintosh, OS/2, UNIX
CVE References: CAN-2003-0109, CAN-2003-0352
For additional information, visit the following Internet address:
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html
_____________________________
2. Level 3 Virus Alert! W32.Dumaru@mm
W32.Dumaru@mm is a mass-mailing worm that drops an IRC Trojan onto the
infected machine. The worm gathers email addresses from certain file types
and uses its own SMTP engine to email itself.
Definitions dated August 18, 2003 will detect the W32.Welchia.Worm. Run
LiveUpdate or download the Intelligent Updater virus definitions at
http://securityresponse.symantec.com/avcenter/defs.download.html
The email has the following characteristics:
From: "Microsoft" >
Subject: Use this patch immediately !
Message:
Dear friend , use this Internet Explorer patch now!
There are dangerous virus in the Internet now!
More than 500.000 already infected!
Attachment: patch.exe
This threat is written in the Microsoft C++ programming language and is
compressed with UPX.
Type: Worm
Infection Length: 9,216
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me,
Windows NT, Windows XP
Systems Not Affected: Linux, Macintosh, OS/2, UNIX
For additional information, visit the following Internet address:
_____________________________
3. Feedback
Do you have feedback that can help us provide better products or services?
If so, then we want to hear from you. Visit the Symantec suggestion box at
the following Internet address, and let us know how we can improve:
http://www.symantec.com/feedback/
_____________________________
4. Subscribing and unsubscribing
If you want to subscribe to other Symantec newsletters, or you want to
unsubscribe, then follow the instructions at the following Internet
address:
http://www.symantec.com/techsupp/bulletin/index.html
If you are unable to successfully unsubscribe, then follow these steps:
1. Create a new email message addressed to:
2. In the Subject line, type the following:
UNSUBSCRIBE
3. In the body of the message, type the following:
SIGNOFF NAV-TECHINFO-L
4. Send the message.
If you want to unsubscribe from other Symantec newsletters, then follow the
above steps changing the SIGNOFF list name in step 3 to the appropriate
list name. Each News Bulletin you receive will contain the correct list
name.
_____________________________
5. Disclaimer
THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY.
This message contains Symantec Corporation's current view of the topics
discussed as of the date of this document. The information contained in
this message is provided "as is" without warranty of any kind, either
expressed or implied, including but not limited to the implied warranties
of merchantability, fitness for a particular purpose, and freedom from
infringement. The user assumes the entire risk as to the accuracy and the
use of this document. This document may not be distributed for profit.
Symantec and the Symantec logo are U.S. registered trademarks of Symantec
Corporation. Other brands and products are trademarks of their respective
holder(s).
(c) Copyright 2003 Symantec Corporation. All rights reserved. Materials may
not be published in other documents without the express, written permission
of Symantec Corporation.
$$$$$$
The MSBlast.exe virus is rapidly evolving and at least two new strains have
now appeared. One of these strains automatically generates Internet traffic
from infected PCs to the windowsupdate.com site. Another strain attempts to
automatically download the patch for the problem from the Microsoft web
site. In both instances, the automatically generated traffic is having an
impact on network performance worldwide. If you have been experiencing a
slowdown in your Adelphia Power Link performance, it may be attributable to
the MSBlast virus. For additional information on the virus, you can click on
the following link:
http://news.com.com/2100-1002_3-5065644.html?tag=fd_lede2_hed
The virus is widely reported to exploit a security hole in Microsoft's
Windows products, and you will need to install the Microsoft patch to
prevent the virus from recurring. Simply following instructions to prevent
your computer from rebooting will not necessarily prevent the virus from
re-infecting your PC. Please click on the link below to download the
appropriate patch for your operating system:
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
We encourage our users to consider purchasing anti-virus software and/or
personal firewalls to help prevent viruses from infecting their computers in
the future. You can search for free personal firewall software, as well as
anti-virus software, using the Google search tool .
For those customers who are currently running firewalls, you are encouraged
to block access to TCP ports 69, 135, 4444 at the firewall level.
That means if you use ADSubtract which uses port 4444 change it to use a
different port.
--
Kind Regards,
Danny Wareham
Waresoft Software
www.xp-smoker.com
SoftWrap 24/7 Toll-Free Phone Support:
Canada - 1 877 687 7166
United Kingdom (UK) - 0 800 917 2110
USA - 1 800 221 8984
Australia - 1 800 129 251
New Zealand - 0 800 441 133
creates headaches for everyone. Those 60% can be used to tie up the
internet, even be involved in cyber-crimes and their owners won't even know.
$$$$$$
How to Stop Sobig.F
Tips and links to help you stop the Sobig variant from infecting your PC.
By Tim Moynihan
The Sobig.F worm is a variant of June's Sobig.A worm. The worm is also known
as I-Worm.Sobig.f, W32/Sobig.F-mm, W32/Sobig.f@MM, and WORM_SOBIG.F.
Sobig.F only affects Windows systems, and it has been spreading rapidly
since earlier this week. Machines running Windows 2000, Windows 95, Windows
98, Windows Me, Windows NT, and Windows XP are all susceptible to the worm.
Remove Sobig.F from your system
Symantec has released a free Sobig.F removal tool for infected systems. If
you think your Windows PC has been infected, download and run Symantec's
removal tool.
On an infected system, the worm scans various documents for email addresses.
The worm then distributes itself to other inboxes using a built-in SMTP
engine. When it distributes itself, it "spoofs" in the "From:" field an
email address it finds on the infected machine instead of using the infected
user's address. Because the address doesn't match that of the infected
machine, it's difficult to trace the string of infected computers.
The worm also has a built-in shutoff date. It'll stop working on September
10, 2003.
Learn more about how the Sobig.F worm operates in these articles and
security alerts.
Sophos' Sobig.F Virus Analysis
Sobig.F Joins Blaster Attack on Windows (The Register)
Auto-Responders Magnify Sobig Problem (The Register)
Sobig.F Is 'Worst Variant Yet' (ZDNet)
How to protect yourself
Delete any email with the following subject lines, even if they're sent from
a familiar name.
Thank you!
Your details
Re: Details
Re: Approved
Re: Re: My details
Re: Thank you!
Re: That movie
Re: Wicked screensaver
Re: Your application
Don't open any email attachments, especially those with the following names.
your_document.pif
document_all.pif
thank_you.pif
your_details.pif
details.pif
document_9446.pif
application.pif
wicked_scr.scr
movie0045.pif
What about Blaster?
If you're looking for information about the still-dangerous Blaster worm,
read these articles.
Blast the Blaster Worm
Beating Blaster Now, some great advice from Tech Live
Originally posted August 20, 2003
Copyright © 2003 TechTV Inc. All rights reserved.
Use of Techtv.com is subject to certain terms and conditions. We respect
your privacy.
$$$$$$
8/18/2003
_____________________________
In this issue:
1. Level 4 Virus Alert! W32.Welchia.Worm
2. Level 3 Virus Alert! W32.Dumaru@mm
3. Feedback
4. Subscribing and unsubscribing
5. Disclaimer
_____________________________
NOTE: This is an outgoing email address. Do not reply to this email
message. If you require assistance with installing, configuring, or
troubleshooting a Symantec product, or if you have a question for Customer
Service, then visit the Symantec Service & Support Web site at the
following Internet address:
http://www.symantec.com/techsupp/
To view this and prior News Bulletins in HTML format, visit the following
Internet address:
http://www.symantec.com/techsupp/vURL.cgi/navarc
_____________________________
1. Level 4 Virus Alert! W32.Welchia.Worm
Due to an increase in submissions, Symantec Security Response has upgraded
W32.Welchia.Worm to Category 4, as of 6:00pm Monday, August 18, 2003.
The worm attempts to download the DCOM RPC patch from Microsoft's Windows
Update Web site, install it, and then reboot the computer. The worm checks
for active machines to infect by sending an ICMP echo, or PING, which will
results in increased ICMP traffic.
The worm will also attempt to remove W32.Blaster.Worm.
Definitions dated August 18, 2003 will detect the W32.Welchia.Worm. Run
LiveUpdate or download the Intelligent Updater virus definitions at
http://securityresponse.symantec.com/avcenter/defs.download.html
Also Known As: W32/Welchia.worm10240 [AhnLab], W32/Nachi.worm [McAfee],
WORM_MSBLAST.D [Trend], Lovsan.D [F-Secure]
Type: Worm
Infection Length: 10,240 bytes
Systems Affected: Windows 2000, Windows XP
Systems Not Affected: Linux, Macintosh, OS/2, UNIX
CVE References: CAN-2003-0109, CAN-2003-0352
For additional information, visit the following Internet address:
http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.html
_____________________________
2. Level 3 Virus Alert! W32.Dumaru@mm
W32.Dumaru@mm is a mass-mailing worm that drops an IRC Trojan onto the
infected machine. The worm gathers email addresses from certain file types
and uses its own SMTP engine to email itself.
Definitions dated August 18, 2003 will detect the W32.Welchia.Worm. Run
LiveUpdate or download the Intelligent Updater virus definitions at
http://securityresponse.symantec.com/avcenter/defs.download.html
The email has the following characteristics:
From: "Microsoft" >
Subject: Use this patch immediately !
Message:
Dear friend , use this Internet Explorer patch now!
There are dangerous virus in the Internet now!
More than 500.000 already infected!
Attachment: patch.exe
This threat is written in the Microsoft C++ programming language and is
compressed with UPX.
Type: Worm
Infection Length: 9,216
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me,
Windows NT, Windows XP
Systems Not Affected: Linux, Macintosh, OS/2, UNIX
For additional information, visit the following Internet address:
_____________________________
3. Feedback
Do you have feedback that can help us provide better products or services?
If so, then we want to hear from you. Visit the Symantec suggestion box at
the following Internet address, and let us know how we can improve:
http://www.symantec.com/feedback/
_____________________________
4. Subscribing and unsubscribing
If you want to subscribe to other Symantec newsletters, or you want to
unsubscribe, then follow the instructions at the following Internet
address:
http://www.symantec.com/techsupp/bulletin/index.html
If you are unable to successfully unsubscribe, then follow these steps:
1. Create a new email message addressed to:
2. In the Subject line, type the following:
UNSUBSCRIBE
3. In the body of the message, type the following:
SIGNOFF NAV-TECHINFO-L
4. Send the message.
If you want to unsubscribe from other Symantec newsletters, then follow the
above steps changing the SIGNOFF list name in step 3 to the appropriate
list name. Each News Bulletin you receive will contain the correct list
name.
_____________________________
5. Disclaimer
THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY.
This message contains Symantec Corporation's current view of the topics
discussed as of the date of this document. The information contained in
this message is provided "as is" without warranty of any kind, either
expressed or implied, including but not limited to the implied warranties
of merchantability, fitness for a particular purpose, and freedom from
infringement. The user assumes the entire risk as to the accuracy and the
use of this document. This document may not be distributed for profit.
Symantec and the Symantec logo are U.S. registered trademarks of Symantec
Corporation. Other brands and products are trademarks of their respective
holder(s).
(c) Copyright 2003 Symantec Corporation. All rights reserved. Materials may
not be published in other documents without the express, written permission
of Symantec Corporation.
$$$$$$
The MSBlast.exe virus is rapidly evolving and at least two new strains have
now appeared. One of these strains automatically generates Internet traffic
from infected PCs to the windowsupdate.com site. Another strain attempts to
automatically download the patch for the problem from the Microsoft web
site. In both instances, the automatically generated traffic is having an
impact on network performance worldwide. If you have been experiencing a
slowdown in your Adelphia Power Link performance, it may be attributable to
the MSBlast virus. For additional information on the virus, you can click on
the following link:
http://news.com.com/2100-1002_3-5065644.html?tag=fd_lede2_hed
The virus is widely reported to exploit a security hole in Microsoft's
Windows products, and you will need to install the Microsoft patch to
prevent the virus from recurring. Simply following instructions to prevent
your computer from rebooting will not necessarily prevent the virus from
re-infecting your PC. Please click on the link below to download the
appropriate patch for your operating system:
http://www.microsoft.com/technet/security/bulletin/MS03-026.asp
We encourage our users to consider purchasing anti-virus software and/or
personal firewalls to help prevent viruses from infecting their computers in
the future. You can search for free personal firewall software, as well as
anti-virus software, using the Google search tool .
For those customers who are currently running firewalls, you are encouraged
to block access to TCP ports 69, 135, 4444 at the firewall level.
That means if you use ADSubtract which uses port 4444 change it to use a
different port.
--
Kind Regards,
Danny Wareham
Waresoft Software
www.xp-smoker.com
SoftWrap 24/7 Toll-Free Phone Support:
Canada - 1 877 687 7166
United Kingdom (UK) - 0 800 917 2110
USA - 1 800 221 8984
Australia - 1 800 129 251
New Zealand - 0 800 441 133