600? Wow you're lucky, I'm well into 3000, and it snuck into my systems before Symantec had updated definitions for it's e-mail scanners. Firt time something has hit me before I had updated virusdefs, but it's my fault. I didn't setup attachment blocking in my new e-mail softwate after we upgraded to E2K3 this past weekend. D0h. -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On Behalf Of Jan Broucinek Sent: Wednesday, August 20, 2003 7:32 AM To: thin@xxxxxxxxxxxxx Subject: [THIN] Re: Alert! Lookout !!! New variant of Sobig Virus. Our mail gateway GFI MailSecurity has been having a wonderful time stopping this thing for the past 24hrs. Since 5pm last night I've seen over 600 instances of it. ----- Original Message ----- From: "Jim Kenzig http://thethin.net"; <jimkenz@xxxxxxxxxxxxxx> To: <thin@xxxxxxxxxxxxx>; <windows2000@xxxxxxxxxxxxx> Sent: Tuesday, August 19, 2003 10:52 PM Subject: [THIN] Alert! Lookout !!! New variant of Sobig Virus. > I just got 1300 messages with this one in it!!!! Trend says medium > alert...Id rate it much higher! > http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOBIG.F > > > QUICK LINKS Solution > > -------------------------------------------------------------------- -------- > ---- > > Virus type: Worm > > Destructive: No > > Aliases: Win32.HLLM.Reteras, W32.Sobig.F@mm, W32/Sobig.f@MM, Sobig.F, > Win32.Sobig.F, W32/Sobig-F, I-Worm.Sobig.f > > Pattern file needed: 617 > > Scan engine needed: 6.100 > > Overall risk rating: Medium > > -------------------------------------------------------------------- -------- > ---- > > Reported infections: Medium > > Damage Potential: High > > Distribution Potential: High > > > > -------------------------------------------------------------------- -------- > ---- > > Description: > > > > TrendLabs has received several infection reports of this mass-mailing worm > from Norway and Spain. As of 12:19 PM GMT, Trend Micro has declared a Medium > Risk alert to control the spread of this malware. > > This worm propagates by mass-mailing copies of itself using its own Simple > Mail Transfer Protocol (SMTP) engine. It collects email addresses from files > with the following extensions: > > > DBX > HLP > MHT > WAB > HTML > HTM > TXT > EML > It sends out email messages with the following details: > > Subject: <any of the following:> > Re: Thank you! > Thank you! > Re: Details > Re: Re: My details > Re: Approved > Re: Your application > Re: Wicked screensaver > Re: That movie > > Message body: <any of the following:> > See the attached file for details. > Please see the attached file for details. > > Attachment: <any of the following:> > your_document.pif > document_all.pif > thank_you.pif > your_details.pif > details.pif > document_9446.pif > application.pif > wicked_scr.scr > movie0045.pif > > It may spoof the FROM field using email addresses found on the infected > machine so that its email messages appear to originate from one source but > was actually sent from another. > > This worm deactivates its propagation routine on September 10, 2003. > > This worm runs on Windows 95, 98, ME, NT, 2000, and XP. > > Solution: > > > > AUTOMATIC REMOVAL INSTRUCTIONS > > To automatically remove this malware from your system, please use the Trend > Micro System Cleaner. > > MANUAL REMOVAL INSTRUCTIONS > > Identifying the Malware Program > > To remove this malware, first identify the malware program. > > Scan your system with your Trend Micro antivirus product. NOTE all > files detected as WORM_SOBIG.F. Trend Micro customers need to download > the latest pattern file before > scanning their system. Other Internet users may use Housecall, Trend Micro's > free online virus scanner. > > Terminating the Malware Program > > This procedure terminates the running malware process from memory. You will > need the name(s) of the file(s) detected earlier. > > Open Windows Task Manager. > On Windows 95/98/ME systems, press > CTRL+ALT+DELETE > On Windows NT/2000/XP systems, press > CTRL+SHIFT+ESC, then click the Processes tab. > In the list of running programs*, locate the malware file or files detected > earlier. > Select one of the detected files, then press either the End Task or the End > Process button, depending on the version of Windows on your system. Do > the same for all detected malware files in the list of running processes. > To check if the malware process has been terminated, close Task Manager, and > then open it again. > Close Task Manager. > *NOTE: On systems running Windows 95/98/ME, Task Manager may not show > certain processes. You may use a third party process viewer to terminate the > malware process. Otherwise, continue with the next procedure, noting > additional instructions. > > Removing Autostart Entries from the Registry > > Removing autostart entries from the registry prevents the malware from > executing during startup. > > To remove the malware autostart entries: > > Open Registry Editor. To do this, click Start>Run, type Regedit, then press > Enter. > In the left panel, double-click the following: > HKEY_LOCAL_MACHINE>Software>Microsoft>Windows> > CurrentVersion>Run > In the right panel, locate and delete the entry or entries: TrayX = > "%Windows%\winppr32.exe /sinc" > (Note: %Windows% is the Windows folder, which is usually C:\Windows or > C:\WINNT.) > In the left panel, double-click the following: > HKEY_CURRENT_USER>Software>Microsoft>Windows> > CurrentVersion>Run > In the right panel, locate and delete the entry or entries: TrayX = > "%Windows%\winppr32.exe /sinc" Close Registry Editor. > NOTE: If you were not able to terminate the malware process from memory as > described in the previous procedure, restart your system. Deleting > Dropped File > > Right-click Start then click Search. or Find. depending on your version of > Windows. > In the Named input box, type: > WINSTT32.DAT > In the Look In drop-down list, select the drive which contains Windows, then > press Enter. > Once located, select the file then hit Delete. > Running Trend Micro Antivirus > > Scan your system with Trend Micro antivirus and delete all files detected as > WORM_SOBIG.F. To do this, Trend Micro customers must download the latest > pattern file and scan their system. Other Internet users can use HouseCall, > Trend Micro's free online virus scanner. > > For product specific solutions, please refer to Solution 16031 of Trend > Micro's Knowledge Base. > > Trend Micro offers best-of-breed antivirus and content-security solutions > for your corporate network or home PC. > > > > For additional information about this threat, see Technical Details. > > ******************************************************** ******************************************************** This Week's Sponsor: RES PowerFuse, The Management Framework for Windows Eliminate Multiple Tools, Multiple Support Channels and Multiple Costs Manage, Control, and Secure an Entire Windows environment with Ease, including Real-time Reporting and Documenting Components Validate a Meaningful ROI on All of your IT Investments with RES PowerFuse. http://www.respowerfuse.com/ ********************************************************** Useful Thin Client Computing Links are available at: http://thethin.net/links.cfm For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm ******************************************************** This Week's Sponsor: RES PowerFuse, The Management Framework for Windows Eliminate Multiple Tools, Multiple Support Channels and Multiple Costs Manage, Control, and Secure an Entire Windows environment with Ease, including Real-time Reporting and Documenting Components Validate a Meaningful ROI on All of your IT Investments with RES PowerFuse. http://www.respowerfuse.com/ ********************************************************** Useful Thin Client Computing Links are available at: http://thethin.net/links.cfm For Archives, to Unsubscribe, Subscribe or set Digest or Vacation mode use the below link: http://thethin.net/citrixlist.cfm