Sobig.c virus warning and FYI.
Straight_Man
Geeky, in my own wayNaples, FL Icrontian
Sobig has spread most when folks open email at the beginning of a work week, so this warning from Kaspersky came at a good time. Sobig.c has a terror theme, below is a sample of an actual email Kaspersky received quite a few of on their support servers (comon things include attachment name), which do file type and heuristics scanning and are used to let Kaspersky capture viruses early by accepting email on hardened servers that quarantine suspicious things in a holding area that is culled for virus analysis and new definition development.
So, if in the coming weeks, you get something that looks like this, with this file name, trash on sight and along about Christmas expect new defs to kill it automaticly by ALL the major vendors.
Email text and attachment name only:
Subject: Why me?
Body Text:
You say in the www. that i'm a terrorist!!! No way out for you. I REPORT
YOU ! You've said THAT about me
Attachment name: terror-list.com
From and TO can be anything at all. This virus is worm type, and spawns THREE registered system process copies of itself and does so randomly to files in Windows directory, and each and all of the spawned copies work to replicate themselves into more files on windows boxes over time as well as ESMTP spread themselves with random from addresses.
Rule type exclusions by admins can include spam deleting anything with an attachment with the string terror in its name, and\or rule type deleting of any email with a file that is not of type text but does contain terror in its name.
NAV will, if run in bloodhound mode, trash or flag .com attachments by default. It might be good to run your scan engines in deep\aggressive heuristics mode for a while, despite the processor time needed, if you do email a lot next week.
This is a what to look out for post, and a way to kill post, not a scare post. The more people that kill on sight, the fewer copies will spread and fewer boxes will get infected adn become spreaders, which means your box will not get hit again and again by the same beast if many folks take up front action.
Kaspersky AV already knows the Sobig.c virus and can kill it on sight.
John.
So, if in the coming weeks, you get something that looks like this, with this file name, trash on sight and along about Christmas expect new defs to kill it automaticly by ALL the major vendors.
Email text and attachment name only:
Subject: Why me?
Body Text:
You say in the www. that i'm a terrorist!!! No way out for you. I REPORT
YOU ! You've said THAT about me
Attachment name: terror-list.com
From and TO can be anything at all. This virus is worm type, and spawns THREE registered system process copies of itself and does so randomly to files in Windows directory, and each and all of the spawned copies work to replicate themselves into more files on windows boxes over time as well as ESMTP spread themselves with random from addresses.
Rule type exclusions by admins can include spam deleting anything with an attachment with the string terror in its name, and\or rule type deleting of any email with a file that is not of type text but does contain terror in its name.
NAV will, if run in bloodhound mode, trash or flag .com attachments by default. It might be good to run your scan engines in deep\aggressive heuristics mode for a while, despite the processor time needed, if you do email a lot next week.
This is a what to look out for post, and a way to kill post, not a scare post. The more people that kill on sight, the fewer copies will spread and fewer boxes will get infected adn become spreaders, which means your box will not get hit again and again by the same beast if many folks take up front action.
Kaspersky AV already knows the Sobig.c virus and can kill it on sight.
John.
0
Comments