• Walter (4/4) Aug 25 2003 A lot of people are getting the sobig virus with a forged return address
• John Reimer (5/11) Aug 25 2003 Ouch! I feel your pain. All these people have to do, I think, is look
• Greg Peet (14/14) Aug 26 2003 So then is there some ass on this newsgroup server that is listing email
• Walter (7/10) Aug 26 2003 this
• Greg Peet (13/13) Aug 26 2003 "Walter" wrote in message
• Greg Peet (23/23) Aug 26 2003 Meant ".scr" for screensaver, not ".src"...
• Walter (4/12) Aug 26 2003 Digital
• Steve Topilnycky (13/19) Sep 22 2003 In a nutshell, it's a mass mailing worm, with it's own SMTP engine, and
• gf (7/12) Aug 26 2003 Probably is the nature of the virus. I believe I read at Symantec that t...
• Ilya Minkov (8/11) Sep 08 2003 True.

"Walter" <walter digitalmars.com> writes:

A lot of people are getting the sobig virus with a forged return address
saying it is from me. Hence, I am getting a lot of emails from people upset
about receiving the virus from me. The virus is not coming from me, there is
nothing I can do about forged return addresses.

John Reimer <jjreimer telus.net> writes:

Walter wrote:
 A lot of people are getting the sobig virus with a forged return address
 saying it is from me. Hence, I am getting a lot of emails from people upset
 about receiving the virus from me. The virus is not coming from me, there is
 nothing I can do about forged return addresses.
 
 

Ouch! I feel your pain.  All these people have to do, I think, is look 
at the message source to see that the return address is forged.

Later,

John

"Greg Peet" <admin REMOVEMEgregpeet.com> writes:

So then is there some ass on this newsgroup server that is listing email
addy's and then sending it? Or are the attacks aimed at people outside this
small collection of Martians?

I bet I'm next on the list for calling him/her an "ass" LOL.

"Walter" <walter digitalmars.com> wrote in message
news:bie4cu$2e08$3 digitaldaemon.com...
| A lot of people are getting the sobig virus with a forged return address
| saying it is from me. Hence, I am getting a lot of emails from people
upset
| about receiving the virus from me. The virus is not coming from me, there
is
| nothing I can do about forged return addresses.
|
|

"Walter" <walter digitalmars.com> writes:

"Greg Peet" <admin REMOVEMEgregpeet.com> wrote in message
news:bif5c9$vci$1 digitaldaemon.com...
 So then is there some ass on this newsgroup server that is listing email
 addy's and then sending it? Or are the attacks aimed at people outside

this
 small collection of Martians?

My email address must be well known, because I am sent the sobig worm
several hundred times a day. It gets rejected by the ever-vigilant Digital
Mars mail server (thanks, Jan!) before it ever reaches me, but still it
consumes a lot of bandwith at 100k a message.

"Greg Peet" <admin REMOVEMEgregpeet.com> writes:

"Walter" <walter digitalmars.com> wrote in message
news:bif661$10gs$1 digitaldaemon.com...
| My email address must be well known, because I am sent the sobig worm
| several hundred times a day. It gets rejected by the ever-vigilant Digital
| Mars mail server (thanks, Jan!) before it ever reaches me, but still it
| consumes a lot of bandwith at 100k a message.

Good lord! What exactly is it? Is it an attachment of some script form or
object code? I did a search and didn't find much on it.

Just recently some idiot has been posting messages to newsgroups
(comp.lang.c and comp.lang.c++) w/ an attachment of some type of amateur
virus I assume (the files are .src exes).. I did a simple message trace and
found the poster originating from the University of Wisconsin.

Are all your attacks coming from free-mailer facilities?

"Greg Peet" <admin REMOVEMEgregpeet.com> writes:

Meant ".scr" for screensaver, not ".src"...

"Greg Peet" <admin REMOVEMEgregpeet.com> wrote in message
news:bifc3v$19jk$1 digitaldaemon.com...
| "Walter" <walter digitalmars.com> wrote in message
| news:bif661$10gs$1 digitaldaemon.com...
| | My email address must be well known, because I am sent the sobig worm
| | several hundred times a day. It gets rejected by the ever-vigilant
Digital
| | Mars mail server (thanks, Jan!) before it ever reaches me, but still it
| | consumes a lot of bandwith at 100k a message.
|
| Good lord! What exactly is it? Is it an attachment of some script form or
| object code? I did a search and didn't find much on it.
|
| Just recently some idiot has been posting messages to newsgroups
| (comp.lang.c and comp.lang.c++) w/ an attachment of some type of amateur
| virus I assume (the files are .src exes).. I did a simple message trace
and
| found the poster originating from the University of Wisconsin.
|
| Are all your attacks coming from free-mailer facilities?
|
|

"Walter" <walter digitalmars.com> writes:

"Greg Peet" <admin REMOVEMEgregpeet.com> wrote in message
news:bifc3v$19jk$1 digitaldaemon.com...
 "Walter" <walter digitalmars.com> wrote in message
 news:bif661$10gs$1 digitaldaemon.com...
 | My email address must be well known, because I am sent the sobig worm
 | several hundred times a day. It gets rejected by the ever-vigilant

Digital
 | Mars mail server (thanks, Jan!) before it ever reaches me, but still it
 | consumes a lot of bandwith at 100k a message.

 Good lord! What exactly is it? Is it an attachment of some script form or
 object code? I did a search and didn't find much on it.

It comes as a 100k attachment that tries to trick you into running it.

Steve Topilnycky <no.spam.steve topcatcomputing.com> writes:

In the c++.announce newsgroup Greg Peet wrote: 

 
 What exactly is it?

In a nutshell, it's a mass mailing worm, with it's own SMTP engine, and 
spoofs email address.  There are several variants. Below are links the 
Symantec Security Response technical write-ups on the some of the 
variants:

 http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.a mm.html
 http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.b mm.html
 http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.c mm.html
 http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.e mm.html
 http://securityresponse.symantec.com/avcenter/venc/data/w32.sobig.f mm.html


When a file is detected as infected with  <VIRUS NAME>.enc, it indicates 
that it is a MIME-encoded file that contains the that virus.




-- 

Regards,

Steve Topilnycky             
Top Cat Computing
Web:  http://www.topcatcomputing.com/

gf <mz_y2k yahoo...com> writes:

"Greg Peet" <admin REMOVEMEgregpeet.com> wrote in
news:bif5c9$vci$1 digitaldaemon.com: 

 So then is there some ass on this newsgroup server that is listing
 email addy's and then sending it? Or are the attacks aimed at people
 outside this small collection of Martians?
 
 I bet I'm next on the list for calling him/her an "ass" LOL.


Probably is the nature of the virus. I believe I read at Symantec that the 
virus agressivly gathers information on the infected computer and sends 
emails impersonating the emails it founds.

Maybe reading Symantec's dissection on the virus may bring light...

~/gnf.pt

Ilya Minkov <minkov cs.tum.edu> writes:

gf wrote:
 Probably is the nature of the virus. I believe I read at Symantec that the 
 virus agressivly gathers information on the infected computer and sends 
 emails impersonating the emails it founds.

True.

http://www.viruslist.com/eng/viruslist.html?id=65735
http://www.viruslist.com/eng/viruslist.html?id=61094
http://www.viruslist.com/eng/viruslist.html?id=61094
http://www.viruslist.com/eng/viruslist.html?id=60634
http://www.viruslist.com/eng/viruslist.html?id=58906

- eye