email pro needed to advise

Discussion in 'other security issues & news' started by Sacred, Jan 20, 2003.

Thread Status:
Not open for further replies.
  1. Sacred

    Sacred Registered Member

    Joined:
    Jan 20, 2003
    Posts:
    7
    :doubt: I received a weird email a few days ago, and it has passed virus scans and trojan scanners etc, but it still worries me. The body of the email had nothing asside from the worf 'attachment:' no other visible content elsewhere. The attachment is an encrypted mime (maybe). The attachment extension is .pif

    file name is Document003.pif 65.5kb.
    Have recently been delving into system events and going deeper into codes and registry entries. I was floored to see how many ways requests and subterraneous links anyone could use to attain any info they wanted.


    Can you advise me?
     
  2. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Sacred,

    Did you submit a copy to antivirus and antitrojan companies?

    Anyway: feel free to send a (zipped) copy to our support:
    support@wilders.org

    regards.

    paul
     
  3. Sacred

    Sacred Registered Member

    Joined:
    Jan 20, 2003
    Posts:
    7
    Heya Paul :)

    Thanks for responding...yep sent it to a couple of sites...no feedback yet :/

    Will send it on to you guys after this post. Would really like to find out what is happening one way or the other.

    Thanks in advance
    ~Rose
     
  4. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Rose,

    We'll look into it ;).

    regards.

    paul
     
  5. Achy_

    Achy_ Guest

    As a rule, "Never open e-mail attachments with the file extensions VBS, SHS or PIF. These extensions are almost never used in normal attachments but they are frequently used by viruses and worms"---F-Secure, Tips on Avoiding Computer Worms
    http://www.europe.f-secure.com/virus-info/tips.shtml
     
  6. Sacred

    Sacred Registered Member

    Joined:
    Jan 20, 2003
    Posts:
    7
    Archy u were right on the Money!

    I found this today:

    source: By Paul Roberts, IDG News Service
    JANUARY 15, 2003

    Content Type: Story
    Source: IDG News Service

    "Sobig worm getting bigger"
    _________________________________________________________________________

    A new computer worm, Sobig, is spreading on the Internet, according to alerts posted by a number of antivirus software companies.
    Sobig uses e-mail and shared network folders to infect machines running Microsoft Corp.'s Windows operating system, according to information from Helsinki, Finland-based antivirus company F-Secure Corp.

    The worm arrives in e-mail messages from a single sender, big@boss.com, and is stored in attached executable files with names such as Sample.pif, Untitled1.pif and Movie_0074.mpeg.pif, according to F-Secure.

    When opened, the worm places a copy of itself into the Windows folder on the infected machine, creates a process to run the worm program and modifies the Windows registry so that the worm program will be launched whenever Windows is started.

    Once it has infected a machine, the worm searches for e-mail addresses in a variety of text files on the computer's hard drive. Those addresses are used to send out more copies of itself. Sobig also searches for any shared folders on networks that the infected machine may have access to and places a copy of itself in any network folder it can access.

    Although the new worm doesn't appear to steal sensitive information from the computers it infects, F-Secure said antivirus companies warned that the worm connects to a Web site hosted by Yahoo Inc.'s GeoCities, from which it tries to download and execute other files.

    The GeoCities Web page used by Sobig was modified recently to instruct the worm to download a Trojan program known as Backdoor.Delf that gives the virus writer and others control of infected machines, according to Mikko Hypponen, manager of antivirus research at F-Secure.

    GeoCities has been notified about the page by F-Secure as well as the CERT Coordination Center in Pittsburgh, according to Hypponen. Yahoo wasn't immediately available to comment on the Sobig worm.

    The worm first came to the attention of antivirus companies last Thursday and began spreading slowly, Hypponen said. In recent days, however, it has spread more rapidly. As of Tuesday, F-Secure gave the worm a Level 2 ranking, indicating "large infections" and putting it in a category with well-known predecessors such as the Klez worm.

    Other antivirus companies upgraded their threat ratings for Sobig, as well. On Monday, Symantec Corp.'s Security Response upgraded Sobig from a Category 2 to a "moderate" Category 3 threat.

    The success of Sobig since it first appeared surprised Hypponen, who said Sobig is a comparatively simple worm that lacks many of the sophisticated features that allow the new generation of viruses to spread.

    For example, Sobig always arrives in e-mail messages from the same sender, big@boss.com, unlike recent successful worms such as Bugbear or Lirva, which generated their own sender addresses, swapped in trusted sender addresses from sources such as antivirus vendors or selected them at random from a long list.

    In addition, the Sobig e-mail messages use one of only a small number of subjects, unlike recent worms, which use a larger list of possible subjects and attachment names or generate their own at random, according to Hypponen.

    Finally, Sobig requires e-mail recipients to double-click on the attachment containing the worm. Recent vintage worms like Lirva and Bugbear often take advantage of a Microsoft Internet Explorer and Outlook vulnerability known as the "IFrame exploit" that allows e-mail attachments to be launched without any user interaction.

    "I don't know why it's spreading. I cannot explain it at all," Hypponen said.

    Most antivirus software vendors have updated their software to be able to identify Sobig. With auto-update features standard on such programs -- and even without such features -- the Sobig filter was available to most users in plenty of time to stop the spread of the worm, Hypponen said

    Antivirus software vendors posted instructions on their Web pages for removing Sobig from infected machines and recommended that all users update their virus definitions to protect against the new worm.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    On the upside, although I had 4 different scanners test it and tear it apart...it was not executed into my software environment;. *Deep Breath of relief*

    I wonder why I haven't heard back from Soho and Symanftec? *shrug*



    Once again...MANY thanks for all of your help! Thats one less albino attribute on my head ;)

    ~Rose :D
     
Loading...
Thread Status:
Not open for further replies.