100+ infected e-mails in 24 hours

Discussion:

(too old to reply)

Padraig Breathnach

2003-08-20 21:57:05 UTC

In the past 24 hours I have received 129 mails with I-worm attached.

I have reasonable defences -- ZoneAlarm and AVG, both updated
frequently, and, most important of all, a reluctance to open strange
attachments. So my system has not been infected, and I don't expect
that it will be.

But it's very tiresome on single-channel ISDN to download all this
crap. I could, and probably will, put together some filters to deal
with things, but last time I did strong filtering I also lost some
legitimate mail.

That's enough rabbiting-on. My point in posting is to ask if many
people are experiencing a similar volume of infected mail? If my
volume is unusual, can anybody suggest what might have caused it? My
address is "out there" in usenet, and I get plenty of spam, but this
moves things into a different league.

PB

n***@novirus.com

2003-08-20 22:47:51 UTC

Permalink

Post by Padraig Breathnach
In the past 24 hours I have received 129 mails with I-worm attached.
I have reasonable defences -- ZoneAlarm and AVG, both updated
frequently, and, most important of all, a reluctance to open strange
attachments. So my system has not been infected, and I don't expect
that it will be.
But it's very tiresome on single-channel ISDN to download all this
crap. I could, and probably will, put together some filters to deal
with things, but last time I did strong filtering I also lost some
legitimate mail.
That's enough rabbiting-on. My point in posting is to ask if many
people are experiencing a similar volume of infected mail?

I'm curious about that, too; which is why I've been reading this group.

I have received 35 bounces so far, from where my email address was forged by
the worm. None for maybe 5 hours now. But I received zero infected mails sent
directly to me.

I don't believe that that pop provider is scanning for viruses, either.

Other pop accounts receive spam but no worms or bounces. Unfortunately, I
haven't seen any discusion of what algorithm the worm uses.

Post by Padraig Breathnach
If my
volume is unusual, can anybody suggest what might have caused it?

I get the sense it's tied to Europe. You're in Ireland, but are most worms
coming to you from Europe, also?

Post by Padraig Breathnach
My
address is "out there" in usenet,

I haven't seen any writing indicating that it harvests addresses from usenet.
But maybe that's how it first is seeded.

Post by Padraig Breathnach
and I get plenty of spam,

maybe there is a spam connection. Checking: spam sobig
turns up a lot of hits

Post by Padraig Breathnach
but this
moves things into a different league.
PB

--
Ken

Padraig Breathnach

2003-08-20 23:43:23 UTC

Permalink

Post by n***@novirus.com

Post by Padraig Breathnach
That's enough rabbiting-on. My point in posting is to ask if many
people are experiencing a similar volume of infected mail?

I score 14 on bounce messages, not one from an address I recognise.

Post by n***@novirus.com
I don't believe that that pop provider is scanning for viruses, either.
Other pop accounts receive spam but no worms or bounces. Unfortunately, I
haven't seen any discusion of what algorithm the worm uses.

Post by Padraig Breathnach
If my
volume is unusual, can anybody suggest what might have caused it?

I get the sense it's tied to Europe. You're in Ireland, but are most worms
coming to you from Europe, also?

I don't think so. It's from everywhere. I think, but I am not sure,
that I recognise one address from usenet.

Post by n***@novirus.com

Post by Padraig Breathnach
My
address is "out there" in usenet,

I haven't seen any writing indicating that it harvests addresses from usenet.
But maybe that's how it first is seeded.

I am aware of one person who has my address in her address book, and
whose PC has been infected, so there is another possible source.

PB

JK_Deth

2003-08-21 00:35:23 UTC

Permalink

One of our users the highest so far, had a total just short of 1400. Only
about 2/3 were infectious.

Laura Fredericks

2003-08-21 03:07:18 UTC

Permalink

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

...My point in posting is to ask if many people are experiencing a
similar volume of infected mail?

Probably around 200, so far, but none with attachments; they're just
a nuisance.

I use a mail notifier (Magic Mail Monitor) with filters, so they
don't even get downloaded to my e-mail program. They're deleted
directly off the server.

I've set my filters to delete subject lines that *include* the
following:

details
my details
your details
wicked screensaver
resume
approved
that movie
thank you
your application

Note, since some of the subject lines also say "re." and "re.
re.", I've set the filters to delete all e-mails that *include* the
words, above.

I looked at my deleted messages log, and all messages deleted were
these -- nothing that shouldn't have been. ;-)

Fyi, Magic Mail Monitor is freeware, and now open source. IMHO, this
is truly the best e-mail notifier out there. I've used it for years.
Besides the filters (which includes a "friends" list) you can set
each pop3 account to alert you with a different wav file. I like that
feature, a lot. :-)
http://mmm3.sourceforge.net/

If my volume is unusual, can anybody suggest what might have caused
it?

Stupid people who executed the attachment. ;-)

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2
Comment: Because I *can* be.

iQA/AwUBP0Q3LaRseRzHUwOaEQJQEwCfUPu0ruJSZeCiV/Q8RlAqs0MlJcQAoPCv
+wd5sI1LYahn++Y1Yrq6s4LE
=GMbf
-----END PGP SIGNATURE-----

--
Laura Fredericks
PGP key ID - DH/DSS 2048/1024: 0xC753039A

Loading Image...

Remove CLOTHES to reply.

Bart Bailey

2003-08-21 06:12:22 UTC

Permalink

Post by Laura Fredericks
Fyi, Magic Mail Monitor is freeware, and now open source. IMHO, this
is truly the best e-mail notifier out there. I've used it for years.
Besides the filters (which includes a "friends" list) you can set
each pop3 account to alert you with a different wav file. I like that
feature, a lot. :-)

Will it query a hotmail account like MailWasher?
I'll try it during my eval-an-app session this weekend,
http://aleron.dl.sourceforge.net/sourceforge/mmm3/magic-2.94b8.zip

--
Bart

Laura Fredericks

2003-08-21 12:00:05 UTC

Permalink

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Post by Bart Bailey
Will it query a hotmail account like MailWasher?

No. It's a pop3 e-mail notifier.

The best webmail notifier I've used is AllenChow Webmail Checker.
It's shareware. It also does pop3, but doesn't have the cool
features of MMM, so I just use it for Hotmail and Yahoo.

http://www.allenchow.com/shareware/acweb.html

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2
Comment: Because I *can* be.

iQA/AwUBP0S0NaRseRzHUwOaEQLiTgCgh4BAMbC9KjCpTdtGj69VB78KCMUAoJ9k
y3CYKe8u5vmh6S3RjXntdZlO
=8WGH
-----END PGP SIGNATURE-----

--
Laura Fredericks
PGP key ID - DH/DSS 2048/1024: 0xC753039A

http://www.queenofcyberspace.com/usenet-fact.jpg

Remove CLOTHES to reply.

FromTheRafters

2003-08-22 02:18:51 UTC

Permalink

On Thu, 21 Aug 2003 03:07:18 GMT, Laura Fredericks

Post by Laura Fredericks

If my volume is unusual, can anybody suggest what might have caused
it?

Stupid people who executed the attachment. ;-)

Does OE *not* execute this worm?

From what I've read, this is a "must click" worm. It does
"attempt" to spread by network shares, but according to
the Symantec write-up it fails due to buggy code.

~ big surprise there (maybe the rumors are true after all)

n***@novirus.com

2003-08-23 03:25:43 UTC

Permalink

Post by FromTheRafters
~ big surprise there (maybe the rumors are true after all)

what rumors, pray tell?

Just joking about the usual from rumor central.
<hint>
Sobig has buggy code.
When you hear the phrase "buggy code" what comes to mind?
'nuff said?
</hint>

if you mean concerning viruses, I'm not familiar

but if you mean in general, then it'd have to be M$oft ;)

--
Ken

Zvi Netiv

2003-08-23 07:14:00 UTC

Permalink

Post by FromTheRafters

Does OE *not* execute this worm?

From what I've read, this is a "must click" worm. It does
"attempt" to spread by network shares, but according to
the Symantec write-up it fails due to buggy code.
~ big surprise there (maybe the rumors are true after all)

what rumors, pray tell?

Just joking about the usual from rumor central.
<hint>
Sobig has buggy code.
When you hear the phrase "buggy code" what comes to mind?

What said the guy that was told his wife was sleeping with the whole town:
"some town, hardly five hundred men!"

Zvi Netiv

2003-08-22 10:13:35 UTC

Permalink

Post by Padraig Breathnach
In the past 24 hours I have received 129 mails with I-worm attached.

It's Sobig.F. Check http://www.messagelabs.com/viruseye/threats/default.asp and
you'll see that Sobig.f surpassed every and all malware on a daily/monthly
count.

Post by Padraig Breathnach
I have reasonable defences -- ZoneAlarm and AVG, both updated
frequently, and, most important of all, a reluctance to open strange
attachments. So my system has not been infected, and I don't expect
that it will be.
But it's very tiresome on single-channel ISDN to download all this
crap. I could, and probably will, put together some filters to deal
with things, but last time I did strong filtering I also lost some
legitimate mail.

Try MailWasher or MagicMail from
http://www.freedownloadscenter.com/Email_Tools/Mail_Notification_Tools/Magic_Mail_Monitor.html
I like the latter, it's less fancy than MailWasher, but far more useful to the
experienced user.

Post by Padraig Breathnach
That's enough rabbiting-on. My point in posting is to ask if many
people are experiencing a similar volume of infected mail? If my
volume is unusual, can anybody suggest what might have caused it? My
address is "out there" in usenet, and I get plenty of spam, but this
moves things into a different league.

If it consoles you, then we received well over 10,000 copies of Sobig.f since
its outbreak. There is nothing you can do to not receive these e-mails, short
of dropping your current e-mail address, initiating a new one, and not disclose
you new address on public channels, like in newsgroups.

Regards, Zvi
--
NetZ Computing Ltd. ISRAEL http://invircible.com ***@resq.co.il
InVircible Virus Defense Solutions, ResQ and Data Recovery Utilities
E-mail sent in reply to this post will not be considered private and
will be answered in the newsgroup. Top posting is not appreciated!

Laura Fredericks

2003-08-22 20:01:17 UTC

Permalink

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Post by Zvi Netiv
Try MailWasher or MagicMail from

Post by Zvi Netiv
I like the latter, it's less fancy than MailWasher, but far more
useful to the experienced user.

That's the old version of Magic Mail Monitor. It's now open-source.
The new version has filters and a friends list. It's deleting all
the SOBIG mails, as they come in. :-) I only know I'm getting them
by checking the deleted mails log.
http://mmm3.sourceforge.net/

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2
Comment: Because I *can* be.

iQA/AwUBP0Z2haRseRzHUwOaEQKtPgCgsyJxYs/EJvqoWmNmZ0Qg+pT6zDAAoIjK
RzyJFaNLcPKJ2UjnibbuexiI
=gnl1
-----END PGP SIGNATURE-----

--
Laura Fredericks
PGP key ID - DH/DSS 2048/1024: 0xC753039A

http://www.queenofcyberspace.com/usenet-fact.jpg

Remove CLOTHES to reply.

Gabriele Neukam

2003-08-22 21:11:31 UTC

Permalink

Post by Zvi Netiv

Post by Padraig Breathnach
In the past 24 hours I have received 129 mails with I-worm attached.

It's Sobig.F. Check http://www.messagelabs.com/viruseye/threats/default.asp and
you'll see that Sobig.f surpassed every and all malware on a daily/monthly
count.

Daily without any doubt. But I hope, it isn't raging like that for a
full month. At least some of "my" senders seem to have been
remedied/taken offline; the incoming rate has decreased.

Hoping that the worst is over, after 124 Sobig(related) mails within 48
hours.

Gabriele Neukam

***@t-online.de

--
Ah, Information. A good, too valuable theses days, to give it away, just
so, at no cost.

Zvi Netiv

2003-08-23 06:45:24 UTC

Permalink

Post by Gabriele Neukam

Post by Zvi Netiv

Post by Padraig Breathnach
In the past 24 hours I have received 129 mails with I-worm attached.

It's Sobig.F. Check http://www.messagelabs.com/viruseye/threats/default.asp and
you'll see that Sobig.f surpassed every and all malware on a daily/monthly
count.

Daily without any doubt. But I hope, it isn't raging like that for a
full month. At least some of "my" senders seem to have been
remedied/taken offline; the incoming rate has decreased.

I thought the same too, but it didn't last long. The incoming rate went up
again from 14:00, our time, probably when US users woke up and switched their
computers on. ;) An interesting observation is that Sobig.f suppressed the
daily rate of Klez by MessageLabs well under its 'usual' 10,000 daily
intercepts.

Post by Gabriele Neukam
Hoping that the worst is over, after 124 Sobig(related) mails within 48
hours.

I am afraid it doesn't look like that.

Regards, Zvi
--
NetZ Computing Ltd. ISRAEL http://invircible.com ***@resq.co.il
InVircible Virus Defense Solutions, ResQ and Data Recovery Utilities
E-mail sent in reply to this post will not be considered private and
will be answered in the newsgroup. Top posting is not appreciated!