|
 |
|
 |
| Tuesday, February 07, 2012
|
| Register Login |
 |
|
|
|
|
Users currently online
|
 |
|
|
|
 |
Membership: |
 |
Latest:
kevin |
 |
New Today:
0 |
 |
New Yesterday:
0 |
 |
Overall:
56 |
 |
People Online: |
 |
Visitors:
5 |
 |
Members:
0 |
 |
Total:
5 |
Online Now:
|
|
|
|
|
|
|
|
|
|
Welcome to the Viruswarning forums. All your original content has been ported to the new forums as well as new content and additional opportunities to interact with the authors of Viruswarn.com. You can always access old content at www.leedrake.com/forum . You may find some formatting was lost in the conversion and the older versions of the posts to be more readable....
But at least it's all here.
Enjoy!
|
|
|
|
|
|
Viruswarn Forums
|
|
|
|
|
| You are not authorized to post a reply.
|
|
| Author |
Messages |
|
Lee Drake
Posts:238
 |
| 06/30/2003 2:52 PM |
|
| What Is It?
W32/Sobig.e@MM is the latest variant of the Sobig series of Internet worms. Like practically everything else of recent vintage, it spreads as follows.
It mass mails itself using its own built-in SMTP engine.
It harvests address from the Windows Address book and the local hard drive, searching for files with the following extensions.
WAB - Windows Address Book
DBX - Associated with PHP scripts, which run on Web servers. DBX stands for Data Base Abstraction (abstraxion?).
HTM - Hypertext Markup Language (Web pages).
HTML - Hypertext Markup Language (Web pages).
EML - Email file.
TXT - Plain text (Notepad) file.
It forges the return address. Therefore, the perceived sender is probably not the hapless victim.
It spreads across network shares.
The attachment is packaged as a ZIP archive, though the extension may be .ZI, due to an error in the worm code, requiring some user action to activate. However, the authors use attractive names, like "Application" to entice their victims to open it. See the References section below for further details.
While we're at it, one variant of the Klez worm has the audacity to claim to be a program that will prevent Klez from attacking your computer! Symantec refers to it as W32.HLLW.Merkur.E@mm; see the References section for more. Yes, Klez is still out there; I get at least one a day. See the References section for the latest information about Klez.
What Should I Do?
As usual, never open unexpected attachments from anyone, even your best friend.
Be very wary of magical cures that come in the mail, even if the origin appears to be Symantec, McAfee, Trend, F-Secure, or Microsoft. No reputable software vendor ever sends program code to its customers, or even its prospects, as attachments to email messages. Period.
Keep your anti-virus software up to date. We suggest that you set your software to check for updates automatically.
If you have a dial-up Internet connection, set the schedule to check daily at a time when you are usually already online.
If you have a broadband (Cable, DSL, T1, or satellite) connection to the Internet, set the software to check hourly. If you have more than one computer sharing the connection, set them to check at staggered times.
Enable on-access scanning of all files.
If you become infected, disconnect the affected computer from all other computers as soon as you realize that it's infected, then use another computer to review one or more of the articles given in the References section below for removal instructions or get professional help.
References:
http://vil.nai.com/vil/content/v_100429.htm discusses the W32/Sobig.e@MM worm. This reference is at Network Associates, Inc., makers of McAfee VirusScan software.
"http://securityresponse.symantec.com/avcenter/venc/data/w32.klez.h@mm.html#threatassessment" is the latest on Klez. Take note of the height of all three bars on the graph in the upper right corner.
Read about the "KLEZ Fix-it scan" in the Sarasota PC Monitor at http://www.spcug.org/reviews/hg0209.htm
The W32.HLLW.Merkur.E@mm worm, the so-called "Klez Fix-It" is discussed in detail in an article on the Symantec (Norton AV) Web site at http://www.sarc.com/avcenter/venc/data/w32.hllw.merkur.e@mm.html.
A graph at http://www.messagelabs.com/viruseye/threats/ identifies W32/Sobig.e@MM and W32/Klez.H-mm as the two most active viri within the last 24 hours. This is consistent with our own observations, based on observed incoming traffic on our mail server, which has included at least one of each during the last week.
This concludes this VirusWarning notice.
David Gray
P6 Consulting
V: +1 (972) 751-0254
TZ: USA Central, GMT -6
E: mailto:dagray@p6c.com
W: http://www.p6c.com
1141 Hidden Ridge
Suite 1142
75038-3780
USA
|
|
|
|
|
|
| You are not authorized to post a reply. |
|
|
|
ActiveForums 3.6
|
|
|
|
|
|
|
|
|
|
|
|