Hello guys, there is a new worm out on the internet, I am having to go out and patch up 4 networks today. So Just thought I would let yall in in on this before it gets too bad. Download this http://securityresponse.symantec.com/avcenter/venc/data/w32.welchia.worm.removal.tool.html

make sure you read all the details, this is one i hear is supposed to be worse. Goodluck :(

Here's one that is really cluttering up my inbox. Just came out. Not sure if it is the same as w32.welchia.worm or not

[/I]Win32.Sobig.F


Also known as:
Win32/Sobig.F.Worm
W32/Sobig.F (F-Secure)
I-Worm.Sobig.f (Kaspersky)
W32.Sobig.f@MM (McAfee)
Category: Win32
Type: Worm
Wild: Medium-On-Watch
Destructiveness: Low
Pervasiveness: High

August 19, 2003

For more information, please visit the Win32.Sobig.F description in our Virus Encyclopedia.

Win32.Sobig.F is a worm which spreads via e-mail using its own SMTP engine.

It arrives in a message with one of the following subjects:

Re: Thank you!
Thank you!
Your details
Re: Details
Re: Re: My details
Re: Approved
Re: Your application
Re: Wicked screensaver
Re: That movie

The attachment name is chosen at random from the following list:

your_document.pif
document_all.pif
thank_you.pif
your_details.pif
details.pif
document_9446.pif
application.pif
wicked_scr.scr
movie0045.pif

The message body reads either:

Please see the attached file for details.

or

See the attached file for details

The worm is reported to spoof the 'From' address, so that it appears to come from a different address than that of the affected machine.

When run, the worm copies itself to the Windows directory with the following file name:

%Windows%\WINPPR32.EXE

It also creates another file in the Windows directory: %Windows%WINSTT32.DAT

Note: '%Windows%' is a variable location. The worm determines the location of the current Windows folder by querying the operating system. The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.

It then creates the following registry values so WINPPR32.EXE runs whenever Windows starts:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \TrayX = "C:\WINDOWS\winppr32.exe /sinc"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \TrayX = "C:\WINDOWS\winppr32.exe /sinc"

Note: These registry values are only set if the keys already exist. For example, the second value might not be created on Windows 98 systems because the key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run
does not usually exist.

The worm appears to search files with the following extensions for e-mail addresses to send to:

txt
eml
html
htm
dbx
wab

The worm is coded to stop replicating as of 10th September 2003.

Detection for this worm has been added to CA's eTrust antivirus solutions. Install the latest relevant update to ensure protection.

eTrust Antivirus v7 Signature Updates Files, Version 23.62.27
InoculateIT Engine Virus Signature Update Files, Version 23.62.27
Inoculan 4.0/InoculateIT 4.5x Virus Signature Update Files, Version 44.27
EZ Antivirus 6.x Engine Virus Signature Update Files: 6.x/4847
EZ Antivirus 5.x Engine Virus Signature Update Files: 5.x/2563
Vet 10.5 Engine Virus Signature Update Files: 10.5x/4847

For more information, please visit the Win32.Sobig.F description in our Virus Encyclopedia.[/i]

ahhhhhhhh....holy repeat..lol

if anyone needs them, here are the removal tools for these 2 viruses/worms and many others:

http://securityresponse.symantec.com/avcenter/tools.list.html

Yeah how these worms work, is they flood the networks with false packets. "Chattering" the network and you can tell this because all the lights on the hub or switch will all start flashing in sync. It's a very bad sight too see, especially when that network is runnin 45 workstations and you really don't want to have to goto each one, thank god I didn't. w00t. Anyway that tool from the symantec website worked out great.

I don't know how the hell you guys get these worms/viruses. I've never had a problem with any of these. Why is that?

Windows 3.1

Scott

I've seen sobig disguising itself as a message from yahoo groups so if you're subscribed to any of those, be wary.

Yeah I got an email from some msn b00n, but Norton caught it and deleted it fer me, w00t!

okay guys i got the sobig virus but when i run norton scan it doesnt detect it...nor will the removal tool work to remove it

and yes i have run both in safe mode but still it didnt find anything...so any ideas?

Mercy --what makes you think you have SoBig? If you are getting messages back from postmasters saying your message was undeliverable, but you didnt send a message, that's kinda normal, cause the email program "spoofs" email addresses. In otherwords it pretends to be you, or any other email address it comes across, and when it hits a bad address on a domain, your address is the address that that domain responds back to.

I even got a soBig message sent to me pretending to be Perm's hotmail account that he rarely uses anymore. Go figure.

ahh..okay then that is what is happening...

I have been getting those e-mails but Norton has only caught one as being a virus. I did not open any of them just simple deleted them all as I got them. I did not know who they were from so I did not open them. My question is this. I have run a virus scan on my computer and it comes back none found. As long as I did not open the attachment in the e-mail did the virus not infect my computer? It seems to be running fine and I have had no problems. I just keep getting those darn e-mails.

Hey sniper, to answer your question honestly. The virus is one your computer in some way or another. Now wether it comes out of it's dormance depends on how it was written. When you think about, when you check your email if someone attached a file, and your using outlook express then outlook automatically downloads all attachments to your computer. From what I have heard though, is that the folders it downloads to are some sort of highly protected folders, which means it really isn't tied into anything else. Sort of a Microsoft grey area there. Now there is an option in Outlook express, to not have it display attachments at all if you really want to get safe with outlook this is strictly preference here though.

When in Outlook goto:

Tools
|
Options
|
Security Tab

Then check the option "Do not allow attachments to be saved or opened that potentially contain a virus"