Marc Liron
December 6th 03, 01:47 PM
This artcile too expalins all..
http://www.updatexp.com/sobig-worm-f.html
>-----Original Message-----
>It is estimated that 60% of the worlds computers are not=20
protected and this
>creates headaches for everyone. Those 60% can be used to=20
tie up the
>internet, even be involved in cyber-crimes and their=20
owners won't even know.
>
>$$$$$$
>
>How to Stop Sobig.F
>
>Tips and links to help you stop the Sobig variant from=20
infecting your PC.
>
>By Tim Moynihan
>
>
>The Sobig.F worm is a variant of June's Sobig.A worm.=20
The worm is also known
>as I-Worm.Sobig.f, W32/Sobig.F-mm, W32/Sobig.f@MM, and=20
WORM_SOBIG.F.
>
>Sobig.F only affects Windows systems, and it has been=20
spreading rapidly
>since earlier this week. Machines running Windows 2000,=20
Windows 95, Windows
>98, Windows Me, Windows NT, and Windows XP are all=20
susceptible to the worm.
>
>
>Remove Sobig.F from your system
>
>
>Symantec has released a free Sobig.F removal tool for=20
infected systems. If
>you think your Windows PC has been infected, download=20
and run Symantec's
>removal tool.
>
>
>On an infected system, the worm scans various documents=20
for email addresses.
>The worm then distributes itself to other inboxes using=20
a built-in SMTP
>engine. When it distributes itself, it "spoofs" in=20
the "From:" field an
>email address it finds on the infected machine instead=20
of using the infected
>user's address. Because the address doesn't match that=20
of the infected
>machine, it's difficult to trace the string of infected=20
computers.
>
>
>The worm also has a built-in shutoff date. It'll stop=20
working on September
>10, 2003.
>
>
>Learn more about how the Sobig.F worm operates in these=20
articles and
>security alerts.
>
>
>
>
>Sophos' Sobig.F Virus Analysis
>Sobig.F Joins Blaster Attack on Windows (The Register)
>Auto-Responders Magnify Sobig Problem (The Register)
>Sobig.F Is 'Worst Variant Yet' (ZDNet)
>
>
>How to protect yourself
>
>
>
>
>Delete any email with the following subject lines, even=20
if they're sent from
>a familiar name.
>
>
>Thank you!
>Your details
>Re: Details
>Re: Approved
>Re: Re: My details
>Re: Thank you!
>Re: That movie
>Re: Wicked screensaver
>Re: Your application
>
>
>Don't open any email attachments, especially those with=20
the following names.
>
>
>your_document.pif
>document_all.pif
>thank_you.pif
>your_details.pif
>details.pif
>document_9446.pif
>application.pif
>wicked_scr.scr
>movie0045.pif
>
>
>What about Blaster?
>
>
>If you're looking for information about the still-
dangerous Blaster worm,
>read these articles.
>
>
>
>
>Blast the Blaster Worm
>Beating Blaster Now, some great advice from Tech Live
>
>Originally posted August 20, 2003
>
>
>
>
>
>
>
>Copyright =A9 2003 TechTV Inc. All rights reserved.
>Use of Techtv.com is subject to certain terms and=20
conditions. We respect
>your privacy.
>
>$$$$$$
>
>8/18/2003
>_____________________________
>
>In this issue:
>
>1. Level 4 Virus Alert! W32.Welchia.Worm
>2. Level 3 Virus Alert! W32.Dumaru@mm
>3. Feedback
>4. Subscribing and unsubscribing
>5. Disclaimer
>_____________________________
>
>NOTE: This is an outgoing email address. Do not reply to=20
this email
>message. If you require assistance with installing,=20
configuring, or
>troubleshooting a Symantec product, or if you have a=20
question for Customer
>Service, then visit the Symantec Service & Support Web=20
site at the
>following Internet address:
>
>http://www.symantec.com/techsupp/
>
>To view this and prior News Bulletins in HTML format,=20
visit the following
>Internet address:
>
>http://www.symantec.com/techsupp/vURL.cgi/navarc
>_____________________________
>
>1. Level 4 Virus Alert! W32.Welchia.Worm
>
>Due to an increase in submissions, Symantec Security=20
Response has upgraded
>W32.Welchia.Worm to Category 4, as of 6:00pm Monday,=20
August 18, 2003.
>
>The worm attempts to download the DCOM RPC patch from=20
Microsoft's Windows
>Update Web site, install it, and then reboot the=20
computer. The worm checks
>for active machines to infect by sending an ICMP echo,=20
or PING, which will
>results in increased ICMP traffic.
>
>The worm will also attempt to remove W32.Blaster.Worm.
>
>Definitions dated August 18, 2003 will detect the=20
W32.Welchia.Worm. Run
>LiveUpdate or download the Intelligent Updater virus=20
definitions at
>http://securityresponse.symantec.com/avcenter/defs.downlo
ad.html
>
>Also Known As: W32/Welchia.worm10240 [AhnLab],=20
W32/Nachi.worm [McAfee],
>WORM_MSBLAST.D [Trend], Lovsan.D [F-Secure]
>
>Type: Worm
>Infection Length: 10,240 bytes
>Systems Affected: Windows 2000, Windows XP
>Systems Not Affected: Linux, Macintosh, OS/2, UNIX
>CVE References: CAN-2003-0109, CAN-2003-0352
>
>For additional information, visit the following Internet=20
address:
>
>http://securityresponse.symantec.com/avcenter/venc/data/w
32.welchia.worm.html
>_____________________________
>
>2. Level 3 Virus Alert! W32.Dumaru@mm
>
>W32.Dumaru@mm is a mass-mailing worm that drops an IRC=20
Trojan onto the
>infected machine. The worm gathers email addresses from=20
certain file types
>and uses its own SMTP engine to email itself.
>
>Definitions dated August 18, 2003 will detect the=20
W32.Welchia.Worm. Run
>LiveUpdate or download the Intelligent Updater virus=20
definitions at
>http://securityresponse.symantec.com/avcenter/defs.downlo
ad.html
>
>The email has the following characteristics:
>
>From: "Microsoft" >
>Subject: Use this patch immediately !
>Message:
>Dear friend , use this Internet Explorer patch now!
>There are dangerous virus in the Internet now!
>More than 500.000 already infected!
>Attachment: patch.exe
>
>This threat is written in the Microsoft C++ programming=20
language and is
>compressed with UPX.
>
>Type: Worm
>Infection Length: 9,216
>Systems Affected: Windows 2000, Windows 95, Windows 98,=20
Windows Me,
>Windows NT, Windows XP
>Systems Not Affected: Linux, Macintosh, OS/2, UNIX
>
>For additional information, visit the following Internet=20
address:
>
>http://securityresponse.symantec.com/avcenter/venc/data/w
>_____________________________
>
>3. Feedback
>
>Do you have feedback that can help us provide better=20
products or services?
>If so, then we want to hear from you. Visit the Symantec=20
suggestion box at
>the following Internet address, and let us know how we=20
can improve:
>
>http://www.symantec.com/feedback/
>_____________________________
>
>4. Subscribing and unsubscribing
>
>If you want to subscribe to other Symantec newsletters,=20
or you want to
>unsubscribe, then follow the instructions at the=20
following Internet
>address:
>
>http://www.symantec.com/techsupp/bulletin/index.html
>
>If you are unable to successfully unsubscribe, then=20
follow these steps:
>
>1. Create a new email message addressed to:
>
>
>2. In the Subject line, type the following:
>
>UNSUBSCRIBE
>
>3. In the body of the message, type the following:
>
>SIGNOFF NAV-TECHINFO-L
>
>4. Send the message.
>
>If you want to unsubscribe from other Symantec=20
newsletters, then follow the
>above steps changing the SIGNOFF list name in step 3 to=20
the appropriate
>list name. Each News Bulletin you receive will contain=20
the correct list
>name.
>
>_____________________________
>
>5. Disclaimer
>
>THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL PURPOSES=20
ONLY.
>
>This message contains Symantec Corporation's current=20
view of the topics
>discussed as of the date of this document. The=20
information contained in
>this message is provided "as is" without warranty of any=20
kind, either
>expressed or implied, including but not limited to the=20
implied warranties
>of merchantability, fitness for a particular purpose,=20
and freedom from
>infringement. The user assumes the entire risk as to the=20
accuracy and the
>use of this document. This document may not be=20
distributed for profit.
>
>Symantec and the Symantec logo are U.S. registered=20
trademarks of Symantec
>Corporation. Other brands and products are trademarks of=20
their respective
>holder(s).
>
>(c) Copyright 2003 Symantec Corporation. All rights=20
reserved. Materials may
>not be published in other documents without the express,=20
written permission
>of Symantec Corporation.
>
>$$$$$$
>
>
>The MSBlast.exe virus is rapidly evolving and at least=20
two new strains have
>now appeared. One of these strains automatically=20
generates Internet traffic
>from infected PCs to the windowsupdate.com site. Another=20
strain attempts to
>automatically download the patch for the problem from=20
the Microsoft web
>site. In both instances, the automatically generated=20
traffic is having an
>impact on network performance worldwide. If you have=20
been experiencing a
>slowdown in your Adelphia Power Link performance, it may=20
be attributable to
>the MSBlast virus. For additional information on the=20
virus, you can click on
>the following link:
>
>http://news.com.com/2100-1002_3-5065644.html?
tag=3Dfd_lede2_hed
>The virus is widely reported to exploit a security hole=20
in Microsoft's
>Windows products, and you will need to install the=20
Microsoft patch to
>prevent the virus from recurring. Simply following=20
instructions to prevent
>your computer from rebooting will not necessarily=20
prevent the virus from
>re-infecting your PC. Please click on the link below to=20
download the
>appropriate patch for your operating system:
>
>http://www.microsoft.com/technet/security/bulletin/MS03-
026.asp
>
>We encourage our users to consider purchasing anti-virus=20
software and/or
>personal firewalls to help prevent viruses from=20
infecting their computers in
>the future. You can search for free personal firewall=20
software, as well as
>anti-virus software, using the Google search tool .
>
>For those customers who are currently running firewalls,=20
you are encouraged
>to block access to TCP ports 69, 135, 4444 at the=20
firewall level.
>
>That means if you use ADSubtract which uses port 4444=20
change it to use a
>different port.
>
>--=20
>Kind Regards,
>
>
>Danny Wareham
>Waresoft Software
>www.xp-smoker.com
>
>SoftWrap 24/7 Toll-Free Phone Support:
>
>Canada - 1 877 687 7166
>United Kingdom (UK) - 0 800 917 2110
>USA - 1 800 221 8984
>Australia - 1 800 129 251
>New Zealand - 0 800 441 133
>
>
>.
>
http://www.updatexp.com/sobig-worm-f.html
>-----Original Message-----
>It is estimated that 60% of the worlds computers are not=20
protected and this
>creates headaches for everyone. Those 60% can be used to=20
tie up the
>internet, even be involved in cyber-crimes and their=20
owners won't even know.
>
>$$$$$$
>
>How to Stop Sobig.F
>
>Tips and links to help you stop the Sobig variant from=20
infecting your PC.
>
>By Tim Moynihan
>
>
>The Sobig.F worm is a variant of June's Sobig.A worm.=20
The worm is also known
>as I-Worm.Sobig.f, W32/Sobig.F-mm, W32/Sobig.f@MM, and=20
WORM_SOBIG.F.
>
>Sobig.F only affects Windows systems, and it has been=20
spreading rapidly
>since earlier this week. Machines running Windows 2000,=20
Windows 95, Windows
>98, Windows Me, Windows NT, and Windows XP are all=20
susceptible to the worm.
>
>
>Remove Sobig.F from your system
>
>
>Symantec has released a free Sobig.F removal tool for=20
infected systems. If
>you think your Windows PC has been infected, download=20
and run Symantec's
>removal tool.
>
>
>On an infected system, the worm scans various documents=20
for email addresses.
>The worm then distributes itself to other inboxes using=20
a built-in SMTP
>engine. When it distributes itself, it "spoofs" in=20
the "From:" field an
>email address it finds on the infected machine instead=20
of using the infected
>user's address. Because the address doesn't match that=20
of the infected
>machine, it's difficult to trace the string of infected=20
computers.
>
>
>The worm also has a built-in shutoff date. It'll stop=20
working on September
>10, 2003.
>
>
>Learn more about how the Sobig.F worm operates in these=20
articles and
>security alerts.
>
>
>
>
>Sophos' Sobig.F Virus Analysis
>Sobig.F Joins Blaster Attack on Windows (The Register)
>Auto-Responders Magnify Sobig Problem (The Register)
>Sobig.F Is 'Worst Variant Yet' (ZDNet)
>
>
>How to protect yourself
>
>
>
>
>Delete any email with the following subject lines, even=20
if they're sent from
>a familiar name.
>
>
>Thank you!
>Your details
>Re: Details
>Re: Approved
>Re: Re: My details
>Re: Thank you!
>Re: That movie
>Re: Wicked screensaver
>Re: Your application
>
>
>Don't open any email attachments, especially those with=20
the following names.
>
>
>your_document.pif
>document_all.pif
>thank_you.pif
>your_details.pif
>details.pif
>document_9446.pif
>application.pif
>wicked_scr.scr
>movie0045.pif
>
>
>What about Blaster?
>
>
>If you're looking for information about the still-
dangerous Blaster worm,
>read these articles.
>
>
>
>
>Blast the Blaster Worm
>Beating Blaster Now, some great advice from Tech Live
>
>Originally posted August 20, 2003
>
>
>
>
>
>
>
>Copyright =A9 2003 TechTV Inc. All rights reserved.
>Use of Techtv.com is subject to certain terms and=20
conditions. We respect
>your privacy.
>
>$$$$$$
>
>8/18/2003
>_____________________________
>
>In this issue:
>
>1. Level 4 Virus Alert! W32.Welchia.Worm
>2. Level 3 Virus Alert! W32.Dumaru@mm
>3. Feedback
>4. Subscribing and unsubscribing
>5. Disclaimer
>_____________________________
>
>NOTE: This is an outgoing email address. Do not reply to=20
this email
>message. If you require assistance with installing,=20
configuring, or
>troubleshooting a Symantec product, or if you have a=20
question for Customer
>Service, then visit the Symantec Service & Support Web=20
site at the
>following Internet address:
>
>http://www.symantec.com/techsupp/
>
>To view this and prior News Bulletins in HTML format,=20
visit the following
>Internet address:
>
>http://www.symantec.com/techsupp/vURL.cgi/navarc
>_____________________________
>
>1. Level 4 Virus Alert! W32.Welchia.Worm
>
>Due to an increase in submissions, Symantec Security=20
Response has upgraded
>W32.Welchia.Worm to Category 4, as of 6:00pm Monday,=20
August 18, 2003.
>
>The worm attempts to download the DCOM RPC patch from=20
Microsoft's Windows
>Update Web site, install it, and then reboot the=20
computer. The worm checks
>for active machines to infect by sending an ICMP echo,=20
or PING, which will
>results in increased ICMP traffic.
>
>The worm will also attempt to remove W32.Blaster.Worm.
>
>Definitions dated August 18, 2003 will detect the=20
W32.Welchia.Worm. Run
>LiveUpdate or download the Intelligent Updater virus=20
definitions at
>http://securityresponse.symantec.com/avcenter/defs.downlo
ad.html
>
>Also Known As: W32/Welchia.worm10240 [AhnLab],=20
W32/Nachi.worm [McAfee],
>WORM_MSBLAST.D [Trend], Lovsan.D [F-Secure]
>
>Type: Worm
>Infection Length: 10,240 bytes
>Systems Affected: Windows 2000, Windows XP
>Systems Not Affected: Linux, Macintosh, OS/2, UNIX
>CVE References: CAN-2003-0109, CAN-2003-0352
>
>For additional information, visit the following Internet=20
address:
>
>http://securityresponse.symantec.com/avcenter/venc/data/w
32.welchia.worm.html
>_____________________________
>
>2. Level 3 Virus Alert! W32.Dumaru@mm
>
>W32.Dumaru@mm is a mass-mailing worm that drops an IRC=20
Trojan onto the
>infected machine. The worm gathers email addresses from=20
certain file types
>and uses its own SMTP engine to email itself.
>
>Definitions dated August 18, 2003 will detect the=20
W32.Welchia.Worm. Run
>LiveUpdate or download the Intelligent Updater virus=20
definitions at
>http://securityresponse.symantec.com/avcenter/defs.downlo
ad.html
>
>The email has the following characteristics:
>
>From: "Microsoft" >
>Subject: Use this patch immediately !
>Message:
>Dear friend , use this Internet Explorer patch now!
>There are dangerous virus in the Internet now!
>More than 500.000 already infected!
>Attachment: patch.exe
>
>This threat is written in the Microsoft C++ programming=20
language and is
>compressed with UPX.
>
>Type: Worm
>Infection Length: 9,216
>Systems Affected: Windows 2000, Windows 95, Windows 98,=20
Windows Me,
>Windows NT, Windows XP
>Systems Not Affected: Linux, Macintosh, OS/2, UNIX
>
>For additional information, visit the following Internet=20
address:
>
>http://securityresponse.symantec.com/avcenter/venc/data/w
>_____________________________
>
>3. Feedback
>
>Do you have feedback that can help us provide better=20
products or services?
>If so, then we want to hear from you. Visit the Symantec=20
suggestion box at
>the following Internet address, and let us know how we=20
can improve:
>
>http://www.symantec.com/feedback/
>_____________________________
>
>4. Subscribing and unsubscribing
>
>If you want to subscribe to other Symantec newsletters,=20
or you want to
>unsubscribe, then follow the instructions at the=20
following Internet
>address:
>
>http://www.symantec.com/techsupp/bulletin/index.html
>
>If you are unable to successfully unsubscribe, then=20
follow these steps:
>
>1. Create a new email message addressed to:
>
>
>2. In the Subject line, type the following:
>
>UNSUBSCRIBE
>
>3. In the body of the message, type the following:
>
>SIGNOFF NAV-TECHINFO-L
>
>4. Send the message.
>
>If you want to unsubscribe from other Symantec=20
newsletters, then follow the
>above steps changing the SIGNOFF list name in step 3 to=20
the appropriate
>list name. Each News Bulletin you receive will contain=20
the correct list
>name.
>
>_____________________________
>
>5. Disclaimer
>
>THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL PURPOSES=20
ONLY.
>
>This message contains Symantec Corporation's current=20
view of the topics
>discussed as of the date of this document. The=20
information contained in
>this message is provided "as is" without warranty of any=20
kind, either
>expressed or implied, including but not limited to the=20
implied warranties
>of merchantability, fitness for a particular purpose,=20
and freedom from
>infringement. The user assumes the entire risk as to the=20
accuracy and the
>use of this document. This document may not be=20
distributed for profit.
>
>Symantec and the Symantec logo are U.S. registered=20
trademarks of Symantec
>Corporation. Other brands and products are trademarks of=20
their respective
>holder(s).
>
>(c) Copyright 2003 Symantec Corporation. All rights=20
reserved. Materials may
>not be published in other documents without the express,=20
written permission
>of Symantec Corporation.
>
>$$$$$$
>
>
>The MSBlast.exe virus is rapidly evolving and at least=20
two new strains have
>now appeared. One of these strains automatically=20
generates Internet traffic
>from infected PCs to the windowsupdate.com site. Another=20
strain attempts to
>automatically download the patch for the problem from=20
the Microsoft web
>site. In both instances, the automatically generated=20
traffic is having an
>impact on network performance worldwide. If you have=20
been experiencing a
>slowdown in your Adelphia Power Link performance, it may=20
be attributable to
>the MSBlast virus. For additional information on the=20
virus, you can click on
>the following link:
>
>http://news.com.com/2100-1002_3-5065644.html?
tag=3Dfd_lede2_hed
>The virus is widely reported to exploit a security hole=20
in Microsoft's
>Windows products, and you will need to install the=20
Microsoft patch to
>prevent the virus from recurring. Simply following=20
instructions to prevent
>your computer from rebooting will not necessarily=20
prevent the virus from
>re-infecting your PC. Please click on the link below to=20
download the
>appropriate patch for your operating system:
>
>http://www.microsoft.com/technet/security/bulletin/MS03-
026.asp
>
>We encourage our users to consider purchasing anti-virus=20
software and/or
>personal firewalls to help prevent viruses from=20
infecting their computers in
>the future. You can search for free personal firewall=20
software, as well as
>anti-virus software, using the Google search tool .
>
>For those customers who are currently running firewalls,=20
you are encouraged
>to block access to TCP ports 69, 135, 4444 at the=20
firewall level.
>
>That means if you use ADSubtract which uses port 4444=20
change it to use a
>different port.
>
>--=20
>Kind Regards,
>
>
>Danny Wareham
>Waresoft Software
>www.xp-smoker.com
>
>SoftWrap 24/7 Toll-Free Phone Support:
>
>Canada - 1 877 687 7166
>United Kingdom (UK) - 0 800 917 2110
>USA - 1 800 221 8984
>Australia - 1 800 129 251
>New Zealand - 0 800 441 133
>
>
>.
>