Join 3,556 readers in helping fund MetaFilter (Hide)


Worms!!!!!!!!!!
August 22, 2003 11:47 AM   Subscribe

New Phase for Sobig.f Expected to Hit Friday. Any . . . minute . . . now. . .
posted by archimago (37 comments total)

 
What a crock of
%$#@*)$lkjoiwop)_#Jjfdsopifuap8308)#*)$#@J'#)(*)@*$:LKJ J)( *#$)L:KJF )*#)*$@U@)#$* JDFPO)#($*)!
posted by Busithoth at 11:56 AM on August 22, 2003


Well I got my first copy in my inbox. The creepy part is that it's from someone @us.army.mil . who I've never met nor heard of.
This begs the questions:
1) Why am I in his address book?
2) (Assuming it's not this guy's home pc) Why is the Army running Windows?
posted by Treeline at 12:00 PM on August 22, 2003


treeline: Likely it's a 3rd party who has both you and army boy in his/her address book.

Either that or the feds are on to you, and I'd start running now.
posted by Adam_S at 12:03 PM on August 22, 2003


I've gotten over 3000 virus laden messages that I've tracked down to two IPs...both of which are on the rr.com domain. I can't for the life of me get RoadRunner to turn these computers off...despite the fact that they're obviously zombies. I finally just started refusing any traffic from the rr.com domain and now the stupid worm traffic is down to just a few messages every hour or so...from just random locations.
posted by dejah420 at 12:07 PM on August 22, 2003


Either that or the feds are on to you, and I'd start running now.

This seems more plausible. I'm going underground.
posted by Treeline at 12:08 PM on August 22, 2003


see ya Treeline -

I seem to be getting lucky with no SoBigs getting me today/this week. But apparently it's been bad this last couple days. Any other nastiness since 3pm or is it all a bunch of fluff?
posted by djspicerack at 12:10 PM on August 22, 2003


oh look, just in time "experts fend off attack"
posted by djspicerack at 12:19 PM on August 22, 2003


dejah, how did you "just refuse traffic" from an IP? Are you talking about a dedicated server you control or a shared ISP server?
posted by billsaysthis at 12:24 PM on August 22, 2003


You know, it's probably a good idea they (in theory) stopped what was going to happen, but it totally kills me to not know what this phase in the virus' mission was supposed to accomplish. I must know!!!
posted by emptybowl at 12:27 PM on August 22, 2003


You know, I just saw Terminator 3 last night, and this isn't helping.
posted by Johnny Assay at 12:30 PM on August 22, 2003


how did you "just refuse traffic" from an IP?

I do it with a line like this:

65.96 ERROR:666 Due to excessive spam, blocked.

in /etc/mail/access
$ wc -l access
1758 access
$

Blunt? Yes. Effective? Yes. 'innocent people hurt' Yes.
posted by rough ashlar at 12:34 PM on August 22, 2003


speaking of T3, I love the part when you are scrolling through the military base, and you see the flying death plane thingies hovering around the room... It was like a really bad omen.

emptybowl, agreed. I really really wanna know. Perhaps when SoBig.G comes out it will tell us. Though the fact that SoBig.F expires on 9/10 is probably not a good sign.
posted by djspicerack at 12:35 PM on August 22, 2003


Not to derail but can you point me to a good explanation of this access file? I'm not sure what to google for, ther terms seem so commonplace. Thanks!
posted by billsaysthis at 1:12 PM on August 22, 2003


oh look, just in time "experts fend off attack"

Go Finns!
posted by blissbat at 1:13 PM on August 22, 2003


Well I got my first copy in my inbox. The creepy part is that it's from someone @us.army.mil . who I've never met nor heard of.
This begs the questions:
1) Why am I in his address book?


From what I've read it seems this trojan's a bit different as it doesn't just harvest addresses from address book files but also from htm and html files. It then uses these addresses for the To field and to spoof the address in the From field.

This means that if Mr X has been to a site with your e-mail address in it, and another site with military dude's address in it you'll both be in Mr X's cache. His computer gets infected, Sobig scans for html files and finds both your addresses and sends the e-mail you've just described.
posted by dodgygeezer at 1:14 PM on August 22, 2003


Why am I in his address book?

The email might not really be from his computer. The virus spoofs the sender with addresses it's harvested. I've gotten bounce messages from providers who think I've been sending out the virus, even though I'm on a Mac (which is immune). So make sure you know what you're doing before you start blocking or reporting people!

Also what dodgygeezer said.
posted by hyperizer at 1:15 PM on August 22, 2003


I feel so left out of all this sobig worm hoopla, here on my mac. I mean it's all over the news and everyone in class is talking about it.

That's about 50% sarcastic.
posted by untuckedshirts at 1:25 PM on August 22, 2003


I know it's awful of me, but as I've received thousands of these things in the past couple of days, I hope the next phase is that it just executes the people who are infected by it.
posted by frenetic at 1:27 PM on August 22, 2003


I feel so left out of all this sobig worm hoopla, here on my mac. I mean it's all over the news and everyone in class is talking about it.

You're not avoiding them because you're on a mac. You're avoiding them because you're unpopular.

You may not be able to get infected, but I think Macs can receive a gazillion 100k emails just fine. I'm having zero problems with the actual virus part, it's just the quantity of crap flooding my mailbox.
posted by frenetic at 1:30 PM on August 22, 2003


frenetic: Your words hurt me. Right here (points to heart).

Seriously though, I haven't received one of these emails and I'm in plenty of 'not very knowledgeable PC users' address books in addition to operating several websites.

I suppose mail.app's filtering is catching these? As I said, my previous remark was 50% un-sarcastic as well.
posted by untuckedshirts at 1:36 PM on August 22, 2003


untuckedshirts, unless I'm mistaken, I believe even Mac users can still receive the e-mails that contain the virus. The virus just wouldn't be able to do much damage on/through that Mac because it's not running Windows. I don't see why receiving the messages wouldn't be possible unless your ISP is stripping the virus from e-mail before it arrives on your Mac. I'm on a Mac too. I haven't received much e-mail today, actually, and I wonder if it's because of virus-related congestion at my ISP.
posted by emelenjr at 1:40 PM on August 22, 2003


Darn. What frenetic said.

Also, you'd know if Mail was filtering the messages. Mail's junk mail filter starts working once a message arrives in your inbox.
posted by emelenjr at 1:42 PM on August 22, 2003


Also, you'd know if Mail was filtering the messages. Mail's junk mail filter starts working once a message arrives in your inbox.

But once you've stopped training it, spam is automatically shunted to the Junk Mail box, which he might not be checking.

I've probably gotten around a hundred virus emails in the past couple of days. It's pretty crazy.
posted by hyperizer at 1:49 PM on August 22, 2003


Right. I should have said "once a message arrives on your computer."

Since it's clear who the real culprit is for these nasty viruses, I say we should recall Microsoft.
posted by emelenjr at 1:57 PM on August 22, 2003


I do it with a line like this:

65.96 ERROR:666 Due to excessive spam, blocked.

in /etc/mail/access
$ wc -l access
1758 access
$


What do you mean you "do it with a line like this:"?

Do you think it over and over in your mind? Do you actually say it out loud a few times? Do you write it on your hand - pencil or ink?

What do you mean you "do it with a line like this:"?
posted by LowDog at 1:59 PM on August 22, 2003


He means that he adds the line '127.0.0.1. ERROR:666 Due to excessive spam, blocked.' to his /etc/mail/access file, where '127.0.0.1' is the IP address you wish to block.
posted by waxpancake at 2:28 PM on August 22, 2003


he means he puts a line like that in /etc/mail/access. as in, he opens the file in an editor, adds the line, saves the file.
posted by quonsar at 2:28 PM on August 22, 2003


One of the nice things about this vesion of sobig is that it only uses a few subject lines. You can easily filter by subject with most email clients. I wrote about it here for those interested.

I've tried it at a couple sites with server-side filtering and its working well. One client was getting 100 messages an hour in his inbox. Ouch.
posted by skallas at 3:09 PM on August 22, 2003


I know my email's been really slow this week--I get the bulk of my email through the company I host my website with, and they said they're filtering incoming mail for the virus, so I would expect that they're not the only ones.

I've had a few slip through the cracks, but as I'm also on a Mac, it's not caused any problems for me other than cluttering my inbox.
posted by eilatan at 3:13 PM on August 22, 2003


Aug 17: 2
Aug 18: 22
Aug 19: 369
Aug 20: 1679
Aug 21: 2623
Aug 22: 1811

Thats a count of inbound email at work with a size of over 90,000 bytes.

(The bad bits of it tagged and defanged by Spamassassin on the server and harmlessly moved to a spam folder on the clients by Pegasus Email.)
posted by duckstab at 3:38 PM on August 22, 2003


I'm on a mac and have received over 250 sobig messages in the last 72 hours, in 2 of my 3 inboxes. My yahoo address has only gotten 2 or 3 tops, they must filter most of it.
posted by luriete at 3:54 PM on August 22, 2003


I've received 0 on my personal email -- maybe that's due to knowspam or maybe I'm just lucky that way.

OTOH our corporate email system is dead today. :P
posted by Foosnark at 4:36 PM on August 22, 2003


I wish I could buy lowdog a drink.
posted by pejamo at 5:20 PM on August 22, 2003


Our university computing has been shut down entirely for two days due to this or some other virus--they're not really telling us what is going on.

I think they're just going to leave the campus unplugged until this whole virus problem goes away. I think they should force everyone on campus to move to Linux.
posted by mecran01 at 7:03 AM on August 23, 2003


pejamo - Make it a pint from a local mirco brew thank you :~)
posted by LowDog at 7:32 AM on August 23, 2003


on the /etc/mail/access thing - it's only going to work on some kind of unix, not windows. on my debian linux computer such a file doesn't exist. maybe it's mac os x?

another alternative for a unix machine (more likely to work than /etc/mail/access) is to use procmail, but again that's not particularly user-friendly (and i'm not going to explain how here!).
posted by andrew cooke at 8:51 AM on August 23, 2003


Thank God for SpamAssassin and procmail... I have yet to receive even ONE.
posted by fooljay at 10:55 AM on August 24, 2003


« Older Wesley Willis:...  |  So I Google search on the SoBi... Newer »


This thread has been archived and is closed to new comments