***Edited: I thought it was me but it appears it's all over so I guess it's more than me!***
I got hit with the W32.Sobig.F@mm virus and it is mass emailing all email addresses not only on my system but is also hitting all html sites found on my system and emailing those addresses.
If you are getting them from me I apologize. I am all fixed now. Make sure you scan your systems.
Norton caught it but I had to manually fix it.
[ August 19, 2003, 11:53 AM: Message edited by: Amy Brown ]
Posted by Joe Rees (Member # 211) on :
Well now I know who's address book I'm in. Norton deleted 12 instances just now, on incoming messages. Oddly enough, none seemed to be from you directly, but a few names were recognized BB members. Some slimeball must be reveling in their dastardly handiwork this morning.
Posted by Kristi Percell (Member # 255) on :
Good Morning Amy!
I have not recieved any emails from you directly, but as Joe stated,I to have received SEVERAL emails today from names that I recognize from the BB.
Not quite sure what is up, hopefully someone can shed some light on the subject.
Have a great day!
Kristi
Posted by Amy Brown (Member # 1963) on :
Man, this stinks! I'm really sorry. Have no clue how I got this. I think I got it from someone else first and didn't really notice. Norton didn't pick it up on email scanning. Then I was getting like 20 emails per minute from places I've never even heard of. I quickly figured it out and ran Norton Update then scan and it picked it up. I'm still getting tons of email all are infected and Norton is automatically deleting those files.
If you got the emails and they aren't scanned I wouldn't take chances with it. Just assume you've got it too.
Technology, isn't it great!! Posted by Glenn Taylor (Member # 162) on :
Yep. I've received about 18 so far.
I feel so special. Posted by Henry Barker (Member # 174) on :
In the last hour or so I have had about 20-30 mails all with virus from names like markrobt@aol.com sfrog@talk21.com, editor@signindustry.com, etc etc so lots coming from the bb side of the world!! Posted by Amy Brown (Member # 1963) on :
Okay, this thing is spreading like wild fire. I just checked and none of you are in my address book. So, whoever I sent it to is hitting their addresses and then those are hitting their addresses. I'm beginning to think I didn't start this thing after all!!
My first was from rldsigns@aol.com
Posted by Curtis hammond (Member # 2170) on :
set your Outlook or Outlook Express to NOT preview any email.. that way you will not automatically start any email virii you may get through email.. Once started it will spread infections within seconds. Another check u can use is not to keep emails in the address books. Keep them in a word or notepad document.
Most virii such as this one cannot spread unless you open an infected email.
Posted by Alfred Toy (Member # 3844) on :
In Outlook you should only download item description only. The message stays on the server until you decide whether to download or not.
Under options, mail setup, send receive, edit group or account name, select download item description only.
Posted by Bill Cosharek (Member # 1274) on :
Got 2 this morning. One from a recognized name around here & the other unknown. Both messages said to check attachment for details; but there were no attachments. Neither was from Amy.
Posted by Janette Balogh (Member # 192) on :
Amy you didn't start it.
Getting stuff here too. My trusty delete button is working fine.
Posted by Doug Allan (Member # 2247) on :
don't check attachments on suspect email
Posted by Mike Pipes (Member # 1573) on :
I'm not getting any here, so it's nice to know none of you have my email address in your addy books.
Seriously though, like Curtis said, disable the Preview feature in Outlook/Outlook Express. I know it's handy to have but that's how these buggers launch themselves. If the Preview is enabled, the virus launches itself as soon as you click on the email to delete it!
I delete any and all suspect emails immediately then flush out the delted items folder. If I'm not sure about the contents of an email, I right-click it, check the properties then look at the message source to see if there's anything in it I should look at.
Posted by Amy Brown (Member # 1963) on :
I usually dump everything I don't know but I thought I recognized the email that got me as a letterhead and opened it. My bad! I've been so busy I didn't know if I was working on something with this person or what. Obviously not!
I never keep the preview pane open either so it was just luck of the draw today. And as bad as my luck goes it doesn't surprise me in the least.
Yippee!!
Posted by George Perkins (Member # 156) on :
I guess things in life do balance out. My IP doesn't provide any free space for hosting pics. It's run by the local phone company, whose lines are so bad in my area that I can only connect at 24,000. They do however provide an anti virus screening and an anti spam/junk mail service. I haven't recieved a virus in a couple of year, nor any unwanted e-mail. You only get notified every few days. I still keep my Norten updated, but it doesn't have anything to do these days.
Posted by Jackie B (Member # 186) on :
I'm receiving them too, but it's not Lettervilles specific. Luckily my ISP filters everything and simply notifies me I have a virus at the ISP "greymail" site. They delete that junk for me. It's sad when someone has nothing better to do than wreak havoc on unsuspecting gentle people! Be careful out there. I'm sure we'll probably hear about it all on the news tonight. Bomba-Dear.
Posted by Jon Butterworth (Member # 227) on :
I have a spam problem too!
I now use www.mail2web.com site to preview all the e-mails on my server. It's a free site and can be accessed from any computer as long as you know your password for your e-mail.
It lists them 20 at a time and you can select delete, hold or open. Quite handy when your traveling too! If you open in this site you have to send a copy back to yourself if you want to keep it.
Certainly a lot quicker and safer than waiting for Outlook Express to download.
Hope this helps.
Posted by John Deaton III (Member # 925) on :
I got twenty emails today all with RE: as the subject in my web based email. Some from addresses I knew, others I didnt. Deleted em all. Buggers.
Posted by R T Thomas (Member # 355) on :
Amy,
Like Jon (Bushie), I always check my mail thru www.web2mail.com before downloading into my inbox. Jon, you said you have to send any messaqes you want to keep to yourself? I just don't delete the ones I want and then download them thru my mail server as usual. You must have a different client set-up than I do.
The good thing about doing it this way is all spam can be elimnated off the server before you ever load it onto your machine. See ya,
Posted by Laura Butler (Member # 1830) on :
I got bombarded yesterday and so this morning I went and checked my address book and found about 50 addresses of people that I don't know. so I deleted those.
Posted by David Fisher (Member # 107) on :
Mail washer also is a handy program for checking your mail server contents before downloading. http://www.mailwasher.net/ David
Posted by Jeffrey Vrstal (Member # 2271) on :
Type Win32 worm
Detection A virus identity file (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the October 2003 (3.74) release of Sophos Anti-Virus.
Sophos has received many reports of this worm from the wild.
Description W32/Sobig-F is a worm that spreads via email and network shares.
W32/Sobig-F copies itself to the Windows folder as winppr32.exe and sets one of the following registry entries:
The worm sends itself, using its own SMTP engine, as an attachment to email addresses collected from various files on the victim's computer. When it distributes itself via email it forges the sender's email address, making it difficult to know who is truly infected.
The email has the following format:
Subject line: Chosen from - Re: That movie Re: Wicked screensaver Re: Your application Re: Approved Re: Re: My details Re: Details Your details Thank you!
Message text: Chosen from - Please see the attached file for details. See the attached file for details
W32/Sobig-F also attempts to spread by copying itself to Windows network shares and uses the Network Time Protocol to one of several servers in order to determine the current date and time. If the date is September 10 2003 or later the worm stops working.
Recovery Read instructions on how to remove the W32/Sobig-F worm and ensure your system is not vulnerable to reinfection.
Posted by Mike Pipes (Member # 1573) on :
Adding onto jeff's post..
I've gotten a few of these emails this morning, some from names/addies I recognize and some I dont.
Here's another twist..
I also received a Returned Mail notice from AOL's mailer daemon, telling me that an email I sent had a virus and that the email was rejected.
After checking out the message source itsself (the complete message headers) here's what I saw...
1. The original email that got rejected was sent to Dan Antonelli - I recognized his email address from having visited his website in the past, however I do not have his email in my address books! Hmmmmm!!!
2. The original email had MY name in the "From:" field although my machine is clean.
3. The proof: the headers list the IP addresses of the originating machine and all the relays the message takes enroute. The IP listed is not mine, which I am sure of because my IP is static.. my mail server was not listed as a relay, reinforcing the fact the email didnt come from my machine because all my mail goes through my own servers!
So, when you recognize a name or email address on an email that potentially has a virus, keep all this in mind because it's apparent the virus is swapping email addresses from its host computer into its own messages!
Posted by Jeffrey Vrstal (Member # 2271) on :
I think that is about time for us to take action and "paint" these morons into a corner, and then yank their internet connection, leaving them dangling without food, water or extra RAM.
![[Dunno]](graemlins/dunno.gif)
![[Big Grin]](biggrin.gif)
![[Wink]](wink.gif)
![[Smile]](smile.gif)