[THIN] Be sure to update your av definitions!

  • From: Jim Kenzig <jimkenz@xxxxxxxxxxxxxx>
  • To: thin@xxxxxxxxxxxxx, windows2000@xxxxxxxxxxxxx
  • Date: Mon, 2 Jun 2003 12:05:12 -0400

I keep getting the below virus with a  .pi   extension.  Be sure that if you
are doing blocking that you add that extension.
This is starting to be pretty rampant and appears to be not only coming from
Bill@xxxxxxxxxxxxx I have gotten it under 3 other names also today.

Look out!
Regards,
Jim Kenzig
http://thethin.net




VIRUS WARNING ISSUED BY CENTRALCOMMAND®
on June 01, 2003
for Worm/Sobig.C



VIRUS WARNING The Central Command® Emergency Virus Response Team? (EVRT?)
has received virus infection reports for the new Internet Worm/Sobig.C. Due
to increased customer inquires and infection reports the EVRT is issuing a
VIRUS ALERT.

You are receiving this news letter because you are a subscriber to the
Central Command Virus News mailing list.

[  EVRT? Virus Warning issued for  Worm/Sobig.C ]

Details:
Name: Worm/SoBig.C
Alias: Win32.Sobig-C
Type: Internet Worm
Discovered: June 1, 2003
Size: 59.948KB
Platform: Microsoft Windows 9x/ME/NT/2000/XP


Description:

Worm/Sobig.C is an Internet worm that spreads through e-mail by using
addresses it collects in the files with the following extensions, .dbx,
.eml, .htm, .html, .txt, and .wab.

The worm may arrive in via email in the following format:

From: bill@xxxxxxxxxxxxx
Subject: (it will contain one of the following)

- Approved
- Re: 45443-343556
- Re: Application
- Re: Approved
- Re: Movie
- Re: Submited (004756-3463)
- Re: Your application

Body: Please see the attached file.

Attachment: (it will contain one of the following)

- 45443.pif
- application.pif
- approved.pif
- document.pif
- documents.pif
- movie.pif
- screensaver.scr
- submited.pif
- _submited.pif

If executed, the worm copies itself in the \windows\ directory under the
filename "mscvb32.exe".

So that it gets run each time a user restart their computer the following
registry key gets added:

- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
"System Tray"="%Windows%\mscvb32.exe"

- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"System MScvb"="%Windows%\mscvb32.exe"
********************************************************
This Week's Sponsor - Appsense Technologies
New! AppSense Optimizer is a new product from AppSense 
designed to increase the user capacity of your servers. 
http://www.appsense.com/
**********************************************************

For Archives, to Unsubscribe, Subscribe or 
set Digest or Vacation mode use the below link:
http://thethin.net/citrixlist.cfm

Other related posts:

  • » [THIN] Be sure to update your av definitions!
  1. Home
  2. thin
  3. Archive
  4. 06-2003