Save yourself the money:

http://www.f-secure.com/news/items/news_2003082200.shtml
Yep.
Non-believer!

:)


Art
http://www.epix.net/~artnpeg

Check URL: http://www.f-secure.fi/news/items/news_2003082200.shtml

Sorry, I copied the Finnish address - sily me!
http://www.f-secure.com/news/items/news_2003082200.shtml

jari

This is what I was able to find out.
This info was from the F-Secure website.
at http://www.f-secure.com

F-Secure Virus Descriptions
Alphabetical Index

Radar Alert LEVEL 1
NAME:Sobig.FALIAS:W32/***@mm
THIS VIRUS IS RANKED AS LEVEL 1 ALERT
UNDER F-SECURE RADAR.
For more information, see:
http://www.F-Secure.com/products/radar/
A new variant of Sobig, known as Sobig.F was first found on August 19th,
2003 and it is spreading in the wild.
Update on August 24th
Sobig.F activates on Sunday the 24th of August at 19:00 UTC
Update on 19:00 UTC
Currently all master servers are down, nothing is likely to happen.
Update on 20:30 UTC
The situation remains the same.
Update on 22:00 UTC
Nothing happened - the attack failed again.
Update on August 22nd
Sobig.F activates on Friday the 22nd of August at 19:00 UTC. For
information on this, please see:
http://www.f-secure.com/news/items/news_2003082200.shtml
Update on 16:00 UTC
F-Secure can confirm that 18 of the 20 master servers are currently down
or unreachable.
Update on 17:00 UTC
F-Secure can confirm that 17 of the 20 master servers are currently
down. Apparently one of the machines was not disconnected by an ISP and
has been booted up by its owner.
We're working together with CERTs, FBI and Microsoft to stop the last
three.
Update on 18 UTC
F-Secure can confirm that ALL the master server machines are currently
down or unreachable. One of them seems to still respond to PING but not
to 8998 UDP.
We have one hour to go to see if this really is the case.
Update on 18:20 UTC
Unfortunately one server is up right now after all. And one might be
enough for the attack to start succesfully.
Update on 19:00 UTC
When deadline for the attack was passed, one machine was still
(somewhat) up. However, immediately after the deadline, this machine
(located in the USA) was totally swamped under network traffic.
We've tried connecting to it, just like the virus does. We do this from
three different sensors from three different machines in three different
countries. We haven't been able to connect to it once. If we can't
connect, neither can the viruses.
So the attack failed.
We'll keep monitoring until 22:00 UTC. If we're not able to connect
once, we can safely say that the attack was prevented.
Update on 19:50 UTC
Still not a single connection from any of our sensors to any of the
servers.
Update on 21:30 UTC
Situation is still the same. Things look good.
Update on 22:00 UTC
The official attack time on Friday has ended. All 20 machines were
inaccessible throughout the attack.
Now we are investigating random UDP traffic that has been seen in the
net, possibly relating to the worm.
Disinfection Instructions
Disinfection Tool
F-Secure provides the special tool to disinfect the Sobig.F worm. The
tool and disinfection instructions are available at:
http://www.f-secure.com/tools/f-sobig.zip
http://www.f-secure.com/tools/f-sobig.txt
http://www.f-secure.com/tools/f-sobig.exe
http://www.f-secure.com/tools/f-sobig.jar
You can also download them from our FTP server:
ftp://ftp.f-secure.com/anti-virus/tools/f-sobig.zip
ftp://ftp.f-secure.com/anti-virus/tools/f-sobig.txt
ftp://ftp.f-secure.com/anti-virus/tools/f-sobig.exe
ftp://ftp.f-secure.com/anti-virus/tools/f-sobig.jar
Detailed Description
Sobig sends massive amounts of mail. The sender information of these
mails is wrong and doesn't indicate the real infected user.

The attachment has a size of around 70KB and it's packed with TELock. It
has its own SMTP engine, apart from routines to query directly DNS
servers and make requests using the Network Time Protocol.
The worm will also attempt to fetch a URL from where to download
components when certain conditions are met. The condition, in this case,
is that the time which is obtained from one the NTP servers (which
addresses it has hard-coded inside its code) is Friday or Sunday
(regardless of the week) between 19:00 and 22:00 UTC time. The worm will
perform this test every hour.
When the condition meets, it will attempt to retrieve an URL from a
predefined list of 20 master hosts. The content of the URL will be
downloaded and executed on the infected machines.
The list of NTP servers, used to coordinate the download of the URL is:
(This is not the list of master servers)
200.68.60.246
62.119.40.98
150.254.183.15
132.181.12.13
193.79.237.14
131.188.3.222
131.188.3.220
193.5.216.14
193.67.79.202
133.100.11.8
193.204.114.232
138.96.64.10
chronos.cru.fr
212.242.86.186
128.233.3.101
142.3.100.2
200.19.119.69
137.92.140.80
129.132.2.21
Deactivation routine
The worm will stop spreading on 10th of September 2003. From this date
onwards the worm will exit immediately when executed.
Infection
It will install itself into:
%windir%\winppr32.exe
Proceeding then to add the following keys to the Windows Registry:
[HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrayX" =3D %windir%\winppr32.exe /sinc
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TrayX" =3D %windir%\winppr32.exe /sinc
So it's started when Windows does.
Mail spreading
The worm usually arrives in e-mails with the following characteristics:
From:
The 'From:' field is filled with an address found from the infected
system. If no address is found, it will use "***@internet.com"
To:
The 'To:' field is filled with an address found from the infected
system.
Subject, any from the list:
Re: Thank you!
Thank you!
Your details
Re: Details
Re: Re: My details
Re: Approved
Re: Your application
Re: Wicked screensaver
Re: That movie
Body, it chooses one from the two following lines:
See the attached file for details
Please see the attached file for details.
Attachment names can be any from:
your_document.pif
document_all.pif
thank_you.pif
your_details.pif
details.pif
document_9446.pif
application.pif
wicked_scr.scr
movie0045.pif
Sometimes the attachment is missing.
Also, the mail header always contains this string: "X-MailScanner: Found
to be clean". Do note that there's an anti-virus product which inserts
this header to emails.
Sobig history
The following table shows all the Sobig variants, with their expiration
dates and when they were first found in the wild. The "Detection" field
refers to when we first had databases which detected the corresponding
variant.
Variant Found Expires Detection
_____________________________________________________
Sobig.A January 9th NO 2003-01-09_04
Sobig.B May 18th May 31st 2003-05-19_03
Sobig.C May 31st June 8th 2003-06-01_01
Sobig.D June 18th July 2nd 2003-06-18_03
Sobig.E June 25th July 14th 2003-06-26_02
Sobig.F August 19th September 10th 2003-08-19_02
_____________________________________________________
Detection
F-Secure Anti-Virus detects the worm with:
[FSAV_Database_Version]
Version=3D2003-08-19_02
[Description: Ero Carrera, Veli-Jussi Kesti; 19th-24rd of August, 2003]
=A0
=A0
=A0=A0Virus Info
=A0
Latest ThreatsVirus DescriptionsHoax DescriptionsVirus Screen ShotsVirus
GlossaryAvoiding Computer WormsViruses in the Wild

=A0=A0=A0




Thanks,

Mrs Ward