Quick Warning :: Do not stay online from 9pm onwards today
 

There is a virus going around, "SoBig", this is just a test but they aim to wipe out Microsoft's servers.

Dont stay online. This could end up very bad

Maybe it's like saying "What's the worst that could happen?", but I'm protected by both a hardware and software firewall, and MS sites aren't normal steps in my browsing schedule with the exception of Windows Update. And I put WU in the Trusted Sites zone, so I guess I won't visit it now ;)

Nah, its a virus that downloads mate ;) read about it on www.sophos.com and remember, just because u have a hardware / software firewall DOESNT mean your 100% proof. :)

SoBig is an e-mail virus (beginning with Re:- )

so basically, dont open the e-mail:)

9PM is hardly very accurate seeing as there is more than one timezone :p

its after 9pm now in the word. :P

W32/Sobig-F
Aliases
I-Worm.Sobig.f, W32/Sobig.F-mm, W32/Sobig.f@MM, WORM_SOBIG.F

Type
Win32 worm

Detection
A virus identity file (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the October 2003 (3.74) release of Sophos Anti-Virus.

Sophos has received many reports of this worm from the wild.


Description
W32/Sobig-F is a worm that spreads via email.

W32/Sobig-F copies itself to the Windows folder as winppr32.exe and sets one of the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run \TrayX
= <Windows folder>\winppr32.exe /sinc

HKCU\Software\Microsoft\Windows\CurrentVersion\Run \TrayX
= <Windows folder<\winppr32.exe /sinc

The worm sends itself, using its own SMTP engine, as an attachment to email addresses collected from various files on the victim's computer. When it distributes itself via email it forges the sender's email address, making it difficult to know who is truly infected.

The email has the following format:

Subject line: Chosen from -
Re: That movie
Re: Wicked screensaver
Re: Your application
Re: Approved
Re: Re: My details
Re: Details
Your details
Thank you!

Message text: Chosen from -
Please see the attached file for details.
See the attached file for details

Attached file: Chosen from -
movie0045.pif
wicked_scr.scr
application.pif
document_9446.pif
details.pif
your_details.pif
thank_you.pif
document_all.pif
your_document.pif

W32/Sobig-F also attempts to spread by copying itself to Windows network shares.

Important information

W32/Sobig-F uses the Network Time Protocol (NTP) to access one of several servers in order to determine the current date and time.

If the time returned by the NTP server is between 19:00 and 22:00 UTC+0 which is 8pm-11pm UK time) on Friday or Sunday, W32/Sobig-F sends a UDP packet to port 8998 of a remote server. This feature could be used to download and run a Trojan or additional worm components.

To prevent malicious code from being downloaded by W32/Sobig-F, Sophos strongly recommends that customers consider configuring company firewalls so outgoing connection attempts to UDP port 8998 are blocked.

Customer should consult their firewall documentation, or contact their firewall provider for assistance in implementing this configuration change.

If the date is September 10 2003 or later the worm stops working.


Recovery
Read instructions on how to remove the W32/Sobig-F worm and ensure your system is not vulnerable to reinfection.


if your dumb enuf to open anything besides a picture from someone unknown your taking a big enuf risk :\

im not too worried

if this is going to effect ms i would guess 9pm pac. time

k, so i got it wrong, it was MSBlast, i was thinking of SoBig because no one knew what it was. and it was midnight.

I've removed it the norton way, my own way and a few others and it likes to hide itself ever so often. and yes i shouldnt be on because my virus scanner picked it up but i need some help with somet.

Erm, what timezone is this 9pm in? I may have already overstayed the time limit. :p

I'm safe. :) I've the latest firewall and antivirus. Never had a virus or worm yet.

i just don't click on attachments ^^

ok, i have a AV and a firewall, too but all you have to be is careful ^^

Um I stayed on way past 9pm, uh oh.

forgot to turn my pc off :doh:

i never download attachments unless the person tells me they sent sumthing in an im or somthing. and the way i see it. i could care less if it wiped out my HD since i dont have anything on my comp that i couldnt re download or reinstall from disks

Thats good Mike.... But you dont download email atttachments to get it :P

Actually this is a new virus which had been spreading online recently. This virus currently infect Windows XP but not sure whether Windows 2000 is vulnerable to it. You will know you're infected when a small pop up window appear with a timer counting down the shutdown.

Well, download the microsoft patch at
http://www.microsoft.com/downloads/...&displaylang=en

A reboot might be required after patching.

Next up is to delete the files

1. Control+ALT+DEL and end the process called msblast.exe
2. Goto search and find msblast, there should be two files with that name, msblast.exe and mblast.exe-123xxx
3. Use RegEdit and go to HKEY_LOCAL- MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run and delete the msblast auto update

Then reboot the machine

To buy yourself some time so you can actually do all of this, when shutdown window appears click Start>run>type in "cmd" (no quotations) then in the window that pops up type "shutdown -a" no quotations. This stops the shutdown but doesnt allow you to copy or paste text and other such things.


Hope it help.

- Matthew

Yes i did that Matthew........... Ages ago, still got infected files tho!

Just don't download anything that someone is sending you in a email even if you know the person get it through a im program so you know it's them and don't download anything from strange areas and your fine.

Hell I don't have a viri scanner installed and if I think I got one then I do an online check, but viri scanners are a pain when it comes to gamming. Also a router is useally good enough fire wall protection as the odds of getting hacked by an amazing hacker that you don't know is rare.

And just for the records I havn't had one viri for 2 years now so I think these steps work mint ;)

how many times do i have to say MSBLAST IS NOT DOWNLOADED BY EMAIL!!!!!!!!!!!!!!!!