FRISK Virus Alert: W32/Sobig.C@mm

This is a virus alert for W32/Sobig.C@mm, a new mass-mailing
worm first detected on 31 May 2003.

W32/Sobig.C distributes both via e-mail messages pretending
to be from "bill@microsoft.com" and open network
resources.

Risk:
Due to its distribution W32/Sobig.C@mm is estimated to be
medium risk.

http://www.f-prot.com/

 

No definitions yet for Norton AV. For those who can't wait there are Beta definitions at

http://securityresponse.symantec.com/avcenter/beta.download.html

These definitions are not fully tested.

 

Hi Longthing,

They should be in the upcoming Live Update for today.

Due to an increased rate of submissions, Symantec Security Response has upgraded W32.Sobig.C@mm from a Category 2 to a Category 3 as of June 1, 2003

Protection:
Beta Virus Definitions May 31, 2003

Virus Definitions (Intelligent Updater) June 01, 2003

Virus Definitions (LiveUpdate™) June 01, 2003

http://makeashorterlink.com/?T1D4424C4

Regards,

Pieter

 

When i posted the reply the update was stil planned for june 2. Good to see they come with the update today

 

well, in my experience (from last night), the sender is *not* always bill...
It seems that te worm also fakes senders from the pool of harvested email adresses.
(I got notice that i've been infected, sending the worm out when i wasnt - from a person who isn't infected either but who figures as From: value in a worm mail i've received. So someone we both know must be the one who's infected... Mail hops are not easily parsed/evaluated (no simple pattern i mean))

BTW, NOD caught those nasties.

Cheers,
Andreas

 

Youre right. Got one to day, intercepted by Nod. Sender was a lycos-europ.com e-mailadres

 

Quote from the Kaspersky newsletter June 03, 2003
[hr]
"Sobig" Is Back!
A new version of the network worm "Sobig" has been detected - Sobig.c.
Already there have been numerous registered infections from the new
version of this malicious program.

>From the time of the first appearance of the "Sobig" worm in mid January
2003 three versions have been identified and indexed as 'A', 'B' and
'C'. In the May compilation of the twenty most widespread viruses
(http://www.kaspersky.com/news.html?id=978792) Sobig has managed to
confidently outpace such infamous titans as "Klez" and "Lentin" (aka
"Yaha").

The "Sobig" worm spreads itself via e-mail in the form of a file
attachment as well as over local area networks. To spread over LANs
Sobig copies itself to shared network drives, while via e-mail the worm
scans infected computers for files containing e-mail addresses and then
clandestinely sends copies of itself to the found addresses. To draw
users into launching the file attachment containing the infected code,
"Sobig" employs various social engineering techniques, among which is a
message disguised as a technical support message sent from Microsoft.

Of the collateral effects caused by Sobig, it is essential to note the
worm's ability to download and install from a remote Web-servers updated
versions of itself as well as to impregnate infected systems with
spyware programs.

"Sobig.b" (aka "Palyh") essentially breathed new life into the worm and
is the main reason Sobig was able to rise to the highest position in
May's accounting of the most widespread virus programs. Still, this
version's code contains a time trigger: if the system date on an
infected computer surpasses May 31, the worm automatically shuts down
all its functions except for its ability to download additional files.
This characteristic fundamentally doomed "Sobig.b" as the web-server
from which it retrieves its updates has been closed down.

"Sobig.c", the worm's newest version is virtually identical to its
predecessors, though it is operable only until June eighth, after which
it is diffused. "One gets the impression that the creation of 'doomed
worms' is somehow a trait of the virus author's particular style;
unfortunately the whereabouts of this author are not yet known,"
commented Eugene Kaspersky, Head of Anti-Virus Research at Kaspersky
Labs. "Perhaps we can assume that the next array of worms to appear in
this 'Never-ending Story' will be active only until June 16, 23, 30
etc."

Most reputable anti-virus companies have already added the fix for
"Sobig.c" to their anti-virus databases. To avoid the unpleasantries of
infection it is advisable to update your anti-virus software's database.

More detailed information about all three "Sobig" versions can be found
in the Kaspersky Virus Encyclopedia at the addresses listed below:

Sobig.a -
http://www.viruslist.com/eng/viruslist.html?id=58906
Sobig.b(aka Palyh)-
http://www.viruslist.com/eng/viruslist.html?id=60634
Sobig.c -
http://www.viruslist.com/eng/viruslist.html?id=60723

 

Just received the newsletter too.

 

Again a quote from the Kaspersky newsletter June 04, 2003
[hr]
"Sobig" Worm Possibly Aided By Spamming Techniques
As has been reported by Kaspersky Labs
(http://www.viruslist.com/eng/index.html?tnews=1001&id=60726), a new
modification of the "Sobig" network worm, "Sobig.c" has been spreading
across the Internet. After examining the situation, Kaspersky Labs
believes there is a strong possibility that the virus' creators used
spamming technology to mass mail the "Sobig.c" worm.

Network worms differ from other malicious programs with their ability to
automatically propagate (deliver infected messages, attack P2P networks,
local area networks etc.). The situation with "Sobig.c" appears to be
the first time these functions were fortified by mass mailing
technology. As such, the use of this technology would explain how the
"Sobig" worm family instantly jumped to first place in May's list of the
most widespread virus programs.

Under this conclusion it is possible to state a few facts: Firstly, the
spreading methods used by the "Sobig" worm are not effective enough to
cause such a large number of infections in such a short period of time.
Secondly, the overwhelming majority of the infected messages being sent
out do not use the address bill@microsoft.com as stipulated in the
worm's code, but rather other falsified addresses. Finally, detailed
analysis of the IP-addresses at the source of "Sobig.c" mailings
confirms the high probability of the use of spamming technology.

It is doubtful that spammers decided to expand their business to include
the anonymous mailing of infected messages. Likewise doubtful would be
virus creators using for hire spamming services that would have cost up
to several thousand US dollars. For even the most obsessed virus writer
this amount would almost surely be prohibitive. On the other hand, it
should be noted that the computer underground have perfected the art of
covering their tracks. They masterfully use anonymity and the
extraterritoriality of the worldwide Web to hide their illegal
activities.

"It is possible that virus writers actually decided to quench their
irrational thirst to destroy with the help of spamming technology",
commented Eugene Kaspersky, Head of Anti-Virus Research at Kaspersky
Labs. The consequences of this symbiosis are hard to over estimate.
Using "spamesque" mass mailings can tremendously increase the speed by
which worms spread and the geographic territory covered. This
technological integration could provoke global flood-attacks on the
Internet (such as happened with 'Slammer') that could lead to the
lowering of the networks productivity and even result in its
decomposition into disconnected segments.

"It is possible to simply blame the evil geniuses who thought up this
method of network attack. On the other hand one should look at the
situation objectively; naturally in the environment of complete chaos
and total anonymity that reigns over the Internet, certain people are
not able to resist the temptation to commit cyber hooliganism", injected
Eugene Kaspersky. According to Kaspersky Labs' research, the overriding
factor motivating the overwhelming majority of virus creators to
practice their craft is impunity. If they would be confident in the
eventuality of being punished for committing unlawful acts, by far the
majority of virus creators would simply cease to commit their crimes.
This reality once more confirms the urgency to establish additional
Internet security measures or to create a parallel, protected network to
be used exclusively for business communications.

 

Security experts did agree that computer users should be ready for a new version of the Sobig virus this weekend.
The Sobig.C variant is programmed to expire on June 8 and Sobig.C was released on the same day that its predecessor, Sobig.B, was programmed to stop spreading.
The serial releases may be an effort by the Sobig author to fool antivirus software by subtly altering the makeup of the virus. Alternatively, the author could be releasing "proof of concept" viruses, testing the success of different viruses depending on when and how they are distributed, according to Sunner and Belthoff.

Source: http://story.news.yahoo.com/news?tmpl=story&u=/pcworld/20030604/tc_pcworld/111028