[THIN] Re: Alert! Lookout !!! New variant of Sobig Virus.
- From: Evan Mann <emann@xxxxxxxxxxxxxxxxxxxxx>
- To: "'thin@xxxxxxxxxxxxx'" <thin@xxxxxxxxxxxxx>
- Date: Wed, 20 Aug 2003 08:25:20 -0400
600? Wow you're lucky, I'm well into 3000, and it snuck into my systems
before Symantec had updated definitions for it's e-mail scanners. Firt time
something has hit me before I had updated virusdefs, but it's my fault. I
didn't setup attachment blocking in my new e-mail softwate after we upgraded
to E2K3 this past weekend. D0h.
-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf
Of Jan Broucinek
Sent: Wednesday, August 20, 2003 7:32 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: Alert! Lookout !!! New variant of Sobig Virus.
Our mail gateway GFI MailSecurity has been having a wonderful time stopping
this thing for the past 24hrs. Since 5pm last night I've seen over 600
instances of it.
----- Original Message -----
From: "Jim Kenzig http://thethin.net"; <jimkenz@xxxxxxxxxxxxxx>
To: <thin@xxxxxxxxxxxxx>; <windows2000@xxxxxxxxxxxxx>
Sent: Tuesday, August 19, 2003 10:52 PM
Subject: [THIN] Alert! Lookout !!! New variant of Sobig Virus.
> I just got 1300 messages with this one in it!!!! Trend says medium
> alert...Id rate it much higher!
>
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOBIG.F
>
>
> QUICK LINKS Solution
>
> --------------------------------------------------------------------
--------
> ----
>
> Virus type: Worm
>
> Destructive: No
>
> Aliases: Win32.HLLM.Reteras, W32.Sobig.F@mm, W32/Sobig.f@MM,
Sobig.F,
> Win32.Sobig.F, W32/Sobig-F, I-Worm.Sobig.f
>
> Pattern file needed: 617
>
> Scan engine needed: 6.100
>
> Overall risk rating: Medium
>
> --------------------------------------------------------------------
--------
> ----
>
> Reported infections: Medium
>
> Damage Potential: High
>
> Distribution Potential: High
>
>
>
> --------------------------------------------------------------------
--------
> ----
>
> Description:
>
>
>
> TrendLabs has received several infection reports of this
mass-mailing worm
> from Norway and Spain. As of 12:19 PM GMT, Trend Micro has declared
a Medium
> Risk alert to control the spread of this malware.
>
> This worm propagates by mass-mailing copies of itself using its own
Simple
> Mail Transfer Protocol (SMTP) engine. It collects email addresses
from files
> with the following extensions:
>
>
> DBX
> HLP
> MHT
> WAB
> HTML
> HTM
> TXT
> EML
> It sends out email messages with the following details:
>
> Subject: <any of the following:>
> Re: Thank you!
> Thank you!
> Re: Details
> Re: Re: My details
> Re: Approved
> Re: Your application
> Re: Wicked screensaver
> Re: That movie
>
> Message body: <any of the following:>
> See the attached file for details.
> Please see the attached file for details.
>
> Attachment: <any of the following:>
> your_document.pif
> document_all.pif
> thank_you.pif
> your_details.pif
> details.pif
> document_9446.pif
> application.pif
> wicked_scr.scr
> movie0045.pif
>
> It may spoof the FROM field using email addresses found on the
infected
> machine so that its email messages appear to originate from one
source but
> was actually sent from another.
>
> This worm deactivates its propagation routine on September 10, 2003.
>
> This worm runs on Windows 95, 98, ME, NT, 2000, and XP.
>
> Solution:
>
>
>
> AUTOMATIC REMOVAL INSTRUCTIONS
>
> To automatically remove this malware from your system, please use
the Trend
> Micro System Cleaner.
>
> MANUAL REMOVAL INSTRUCTIONS
>
> Identifying the Malware Program
>
> To remove this malware, first identify the malware program.
>
> Scan your system with your Trend Micro antivirus product. NOTE all
> files detected as WORM_SOBIG.F. Trend Micro customers need to download
> the latest pattern file
before
> scanning their system. Other Internet users may use Housecall, Trend
Micro's
> free online virus scanner.
>
> Terminating the Malware Program
>
> This procedure terminates the running malware process from memory.
You will
> need the name(s) of the file(s) detected earlier.
>
> Open Windows Task Manager.
> On Windows 95/98/ME systems, press
> CTRL+ALT+DELETE
> On Windows NT/2000/XP systems, press
> CTRL+SHIFT+ESC, then click the Processes tab.
> In the list of running programs*, locate the malware file or files
detected
> earlier.
> Select one of the detected files, then press either the End Task or
the End
> Process button, depending on the version of Windows on your system. Do
> the same for all detected malware files in the list of running
processes.
> To check if the malware process has been terminated, close Task
Manager, and
> then open it again.
> Close Task Manager.
> *NOTE: On systems running Windows 95/98/ME, Task Manager may not
show
> certain processes. You may use a third party process viewer to
terminate the
> malware process. Otherwise, continue with the next procedure, noting
> additional instructions.
>
> Removing Autostart Entries from the Registry
>
> Removing autostart entries from the registry prevents the malware
from
> executing during startup.
>
> To remove the malware autostart entries:
>
> Open Registry Editor. To do this, click Start>Run, type Regedit,
then press
> Enter.
> In the left panel, double-click the following:
> HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>
> CurrentVersion>Run
> In the right panel, locate and delete the entry or entries: TrayX =
> "%Windows%\winppr32.exe /sinc"
> (Note: %Windows% is the Windows folder, which is usually C:\Windows
or
> C:\WINNT.)
> In the left panel, double-click the following:
> HKEY_CURRENT_USER>Software>Microsoft>Windows>
> CurrentVersion>Run
> In the right panel, locate and delete the entry or entries: TrayX =
> "%Windows%\winppr32.exe /sinc" Close Registry Editor.
> NOTE: If you were not able to terminate the malware process from
memory as
> described in the previous procedure, restart your system. Deleting
> Dropped File
>
> Right-click Start then click Search. or Find. depending on your
version of
> Windows.
> In the Named input box, type:
> WINSTT32.DAT
> In the Look In drop-down list, select the drive which contains
Windows, then
> press Enter.
> Once located, select the file then hit Delete.
> Running Trend Micro Antivirus
>
> Scan your system with Trend Micro antivirus and delete all files
detected as
> WORM_SOBIG.F. To do this, Trend Micro customers must download the
latest
> pattern file and scan their system. Other Internet users can use
HouseCall,
> Trend Micro's free online virus scanner.
>
> For product specific solutions, please refer to Solution 16031 of
Trend
> Micro's Knowledge Base.
>
> Trend Micro offers best-of-breed antivirus and content-security
solutions
> for your corporate network or home PC.
>
>
>
> For additional information about this threat, see Technical Details.
>
> ********************************************************
********************************************************
This Week's Sponsor: RES PowerFuse, The Management Framework for Windows
Eliminate Multiple Tools, Multiple Support Channels and Multiple Costs
Manage, Control, and Secure an Entire Windows environment with Ease,
including Real-time Reporting and Documenting Components Validate a
Meaningful ROI on All of your IT Investments with RES PowerFuse.
http://www.respowerfuse.com/
**********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
********************************************************
This Week's Sponsor: RES PowerFuse, The Management Framework for Windows
Eliminate Multiple Tools, Multiple Support Channels and Multiple Costs
Manage, Control, and Secure an Entire Windows environment with Ease, including
Real-time Reporting and Documenting Components
Validate a Meaningful ROI on All of your IT Investments with RES PowerFuse.
http://www.respowerfuse.com/
**********************************************************
Useful Thin Client Computing Links are available at:
http://thethin.net/links.cfm
For Archives, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm
Other related posts:
