Outbreak
Agh. As if I weren’t getting enough unsolicited e-mail as it is, yesterday I started receiving a whole slew of it, and there’s a virus at work here. I’ve also received lots of “undeliverable mail” bounce messages, for e-mails with my address as the sender, even though I never sent them. So if you’ve received strange spam-like e-mail from my address, I didn’t send them, I swear!
Apparently, it’s “WORM_SOBIG.F”:
This worm propagates by mass-mailing copies of itself using its own Simple Mail Transfer Protocol (SMTP) engine. It collects email addresses from files with the following extensions: DBX, HLP, MHT, WAB, HTML, HTM, TXT, EML. It sends out email messages with the following details:
Subject: <any of the following:> Re: Thank you! Thank you! Re: Details Re: Re: My details Re: Approved Re: Your application Re: Wicked screensaver Re: That movieIt may spoof the FROM field using e-mail addresses found on the infected machine so that its e-mail messages appear to originate from one source but was actually sent from another. This worm deactivates its propagation routine on September 10, 2003. This worm runs on Windows 95, 98, ME, NT, 2000, and XP.
Message body: <any of the following:> See the attached file for details. Please see the attached file for details.
Attachment: <any of the following:> your_document.pif document_all.pif thank_you.pif your_details.pif details.pif document_9446.pif application.pif wicked_scr.scr movie0045.pif
More info at Trend Micro and Symantec.
My Yahoo mailbox got slammed by over 200 of these e-mails, then stopped suddenly at around 3 this afternoon.
Looking at all the headers showed an originating IP address assigned to the Department of Commerce!!
My Yahoo address also got spoofed and circulated.
This one was a doozey - remember, practice safe hex by keeping those virus scanners running and up to date.