Site New Answers Search Boards ILM ILE Answers New Question New Questions New Poll Blog View Register Login

The Sobig virus - when will the madness end?

Message Bookmarked
Bookmark Removed
My Yahoo address is still getting 15 to 20 100k emails each day containing this virus, a week after it was apparently 'under control'. They're all going straight into the Bulk folder, of course, but this still eats into my available space. Every time I open Yahoo mail at the start of the day I get a 'mailbox full' warning and I fear real email is going to start (or already has been) bouncing.

I don't suppose there's anything I can do about this? Anyone else having similar problems? And who can I blame?

Michael Jones (MichaelJ), Thursday, 28 August 2003 08:25 (twenty-two years ago)

is this the mails that say "details" and stuff? I've had problems too, not quite as bad mind you, maybe 5 or so per day and my mailbox has a big capacity

Ronan (Ronan), Thursday, 28 August 2003 08:30 (twenty-two years ago)

I've only had one or two of these. I must be very unpopular.

robster (robster), Thursday, 28 August 2003 08:35 (twenty-two years ago)

I've not had one yet.

Dave B (daveb), Thursday, 28 August 2003 08:38 (twenty-two years ago)

is this the mails that say "details" and stuff?

Yeah, the form is one of:

Re: details
Re: approved
Re: my details
Re: Thankyou!
Re: That movie
Re: wicked screensaver
Re: your application
Your details
Thankyou

Clocks in at around 100k with a .pif attachment. I've been around 60-65% capacity in Yahoo for about a year (loathe to delete six years of email highlights), so a weekend without checking for these things can send it through the ceiling.

Michael Jones (MichaelJ), Thursday, 28 August 2003 08:41 (twenty-two years ago)

i do find it astonishing that yahoo/hotmail aren't automatically blocking them. that said, i'm only getting 1 a day now instead of 20 (fingers crossed).

toby (tsg20), Thursday, 28 August 2003 08:43 (twenty-two years ago)

I haven't had any, but I've had a few 'undeliverable' or autoreplies from people I've never heard of, which suggests that things are going in the other direction at least :(

Archel (Archel), Thursday, 28 August 2003 08:44 (twenty-two years ago)

I've not had any either. Though this is not an invitation to spam me with evil.

j0e (j0e), Thursday, 28 August 2003 08:46 (twenty-two years ago)

Archel, if your PC is infected, you can download a removal tool from here.

robster (robster), Thursday, 28 August 2003 08:56 (twenty-two years ago)

I haven't had any, but I've had a few 'undeliverable' or autoreplies from people I've never heard of, which suggests that things are going in the other direction at least :(

Yeah, what's the deal with those? About 10% of all my Sobig-related junk is autoresponses of this sort. This doesn't presumably mean *I'm* relaying the virus, does it? Just that my email address is being faked in the the From: field as it propagates?

Michael Jones (MichaelJ), Thursday, 28 August 2003 08:59 (twenty-two years ago)

I had autoreplies like that when my PC was infected by another worm (my own fault - opened an attachment). Download and run the tool I linked to and they should stop - assuming it's Sobig.F that's infected your machine.

robster (robster), Thursday, 28 August 2003 09:02 (twenty-two years ago)

Or run Norton Antivirus if you have that and LiveUpdate.

robster (robster), Thursday, 28 August 2003 09:04 (twenty-two years ago)

Yes, but this is Yahoo mail - presumably the worm isn't on my PC (or our work network), it's on some remote Yahoo server? Or can it propagate via your favoured Web mail rather than your home address?

Michael Jones (MichaelJ), Thursday, 28 August 2003 09:05 (twenty-two years ago)

no the virus works by copying email addresses from infected users' address books, not replicating under the infected users' *own* addresses, so it can appear to be sending the virus from you but isn't at all. i have a mac and do not use outlook so am all but immune to the thing, but have still had several of these autoresponses coz the virus has got a hold of my address from some other source it has infected...

Dave Stelfox (Dave Stelfox), Thursday, 28 August 2003 09:06 (twenty-two years ago)

run norton anyway, just in case... i have been every day since...

Dave Stelfox (Dave Stelfox), Thursday, 28 August 2003 09:07 (twenty-two years ago)

I've received (no exaggeration here) about 2,000 of the things. I suspect this is mostly because our email news alert service at work goes out from my account, and is therefore a fucking hoover for viruses.

Matt DC (Matt DC), Thursday, 28 August 2003 09:22 (twenty-two years ago)

yeah the autoresponses were what i was getting. one thing you could do is look at the addresses they're bouncing back from and try to work out who you know has the virus...

toby (tsg20), Thursday, 28 August 2003 09:53 (twenty-two years ago)

i'm a very popular man toby this may take a very long time...

Dave Stelfox (Dave Stelfox), Thursday, 28 August 2003 10:12 (twenty-two years ago)

got none so far, my copy of NAV is out of date though so i am a bit worried in that respect

stevem (blueski), Thursday, 28 August 2003 10:25 (twenty-two years ago)

I got some mail from someone I've never heard of saying 'you keep sending me infected emails' - get a fucking virus checker and use it please'. But as with Mike, this was on my mailup.net, webmail address, so I am assuming something somewhere is spoofing my address, either from an email harvester that has got to ILE (unlikely, as unless it somehow got around the login process, it wouldn't get my full address) or from someone else's address book.

I haven't actually got a virus checker, and probably should get one, but being on a Mac, not using Outlook Express and never opening weird attachments has made me a bit complacent.

N. (nickdastoor), Thursday, 28 August 2003 10:28 (twenty-two years ago)

surely there's more to it than that, n.?

mark s (mark s), Thursday, 28 August 2003 10:31 (twenty-two years ago)

Well I dunno - can someone knowlegeable tell me if I am running much of a risk?

N. (nickdastoor), Thursday, 28 August 2003 10:54 (twenty-two years ago)

never mind, it wz a joke abt what caused yr complacency

mark s (mark s), Thursday, 28 August 2003 11:05 (twenty-two years ago)

Damn. It was funny too!

N. (nickdastoor), Thursday, 28 August 2003 11:11 (twenty-two years ago)

What worked for me is to find out what IPs the messages w/the worm attachments are coming from and then blacklist those IPs. I was getting about 50 100K emails a day last weekend but 99% of them were originating from one of three IPs, all of which I blacklisted and I've been OK since. (NB you can't blacklist the 'from' addresses as they are spoofed/bogus. Addresses are easy to forge but to forge an originating IP address takes some talent.)

Jeff Wright, Thursday, 28 August 2003 11:59 (twenty-two years ago)

have also been getting these, all to my ilx@ address which i only ever use here.

also got a bounce the other day for a message i neve sent. apparently someone who has me in their address book also sends email to someone at swingers.com

andy

koogs (koogs), Thursday, 28 August 2003 16:55 (twenty-two years ago)

Yes, the IPs are much more of a guide to the actual source than the apparent address. I got to work a couple of Mondays back and had had nearly 200 virus emails over the weekend. I don't know how many I've had in total on my various accounts, but at (in my experience) about 75k a shot it's a lot of useless traffic and downloading time. But I haven't had one at home in about a week now, and only the odd one at work.

Martin Skidmore (Martin Skidmore), Thursday, 28 August 2003 19:09 (twenty-two years ago)

The first I saw of these e-mails was one from our own Lara Byrne with the subject "Re: Wicked Screensaver".. haha.

Mandee, Thursday, 28 August 2003 19:37 (twenty-two years ago)

Michael, I also have a Yahoo acct and it had been the main source of the sobig worm, overnight I'd have something in the teens in my bulk folder plus a few stray ones in my inbox. Now, I only get 2-3 overnight, it *might* have to do with changing my de-spam my ILX email as you can see below. I thought at first that the reduction and my changing my ilx addy was just a coincidence, but given Andy and Mandee's posts, ilx might be a source to nick email addys off of.

Leee (Leee), Thursday, 28 August 2003 19:47 (twenty-two years ago)

OK, I'll try that. Have had 11 in the last 10 hours, so we'll see what happens overnight.

Annoyingly, someone who has Pam's web address (which maps to her home address) in their Outlook has got a worm, so we're now getting 'Returned mail' messages at home. Some of these seem to include the entire worm but not as an attachment (i.e. the body of the email is 100k). I don't whether this is a bad thing.

Michael Jones (MichaelJ), Thursday, 28 August 2003 19:57 (twenty-two years ago)

at the risk of crying wolf...

sobig.F supposedly expired yesterday (it had a self-destruct date coded into it). this leaves the way open for sobig.G which is likely to be a bit less benign. today's date is also kinda ominous.

my isp still isn't filtering out things that are obviously infected (file size in region of 100k). oh um.

andy

koogs (koogs), Thursday, 11 September 2003 05:36 (twenty-two years ago)

four months pass...
at least this new virus that i'm getting lots of is only a third the size of sobig. props to the writer for the conciseness of his code.

unfortunately i'm getting 3 times as many of them...

andy

koogs (koogs), Tuesday, 3 February 2004 23:33 (twenty-two years ago)

judging by the mails in my inbox a certain section of the music industry has the latest pox; seed, twisted nerve and LEAF have all sent me the pox.

Ed (dali), Wednesday, 4 February 2004 06:56 (twenty-two years ago)


You must be logged in to post. Please either login here, or if you are not registered, you may register here.
Site New Answers Search Boards ILM ILE Answers New Question New Questions New Poll Blog View Register Login