Quick Warning :: Do not stay online from 9pm onwards today

[pie]

There is a virus going around, "SoBig", this is just a test but they aim to wipe out Microsoft's servers.

Dont stay online. This could end up very bad

[filburt1]

Maybe it's like saying "What's the worst that could happen?", but I'm protected by both a hardware and software firewall, and MS sites aren't normal steps in my browsing schedule with the exception of Windows Update. And I put WU in the Trusted Sites zone, so I guess I won't visit it now

[pie]

Nah, its a virus that downloads mate read about it on www.sophos.com and remember, just because u have a hardware / software firewall DOESNT mean your 100% proof.

[assassingod]

SoBig is an e-mail virus (beginning with Re:- )

so basically, dont open the e-mail

[NTLDR]

9PM is hardly very accurate seeing as there is more than one timezone

[Zachery]

its after 9pm now in the word. :P

W32/Sobig-F
Aliases
I-Worm.Sobig.f, W32/Sobig.F-mm, W32/Sobig.f@MM, WORM_SOBIG.F

Type
Win32 worm

Detection
A virus identity file (IDE) file which provides protection is available now from the Latest virus identities section, and will be incorporated into the October 2003 (3.74) release of Sophos Anti-Virus.

Sophos has received many reports of this worm from the wild.


Description
W32/Sobig-F is a worm that spreads via email.

W32/Sobig-F copies itself to the Windows folder as winppr32.exe and sets one of the following registry entries:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run \TrayX
= <Windows folder>\winppr32.exe /sinc

HKCU\Software\Microsoft\Windows\CurrentVersion\Run \TrayX
= <Windows folder<\winppr32.exe /sinc

The worm sends itself, using its own SMTP engine, as an attachment to email addresses collected from various files on the victim's computer. When it distributes itself via email it forges the sender's email address, making it difficult to know who is truly infected.

The email has the following format:

Subject line: Chosen from -
Re: That movie
Re: Wicked screensaver
Re: Your application
Re: Approved
Re: Re: My details
Re: Details
Your details
Thank you!

Message text: Chosen from -
Please see the attached file for details.
See the attached file for details

Attached file: Chosen from -
movie0045.pif
wicked_scr.scr
application.pif
document_9446.pif
details.pif
your_details.pif
thank_you.pif
document_all.pif
your_document.pif

W32/Sobig-F also attempts to spread by copying itself to Windows network shares.

Important information

W32/Sobig-F uses the Network Time Protocol (NTP) to access one of several servers in order to determine the current date and time.

If the time returned by the NTP server is between 19:00 and 22:00 UTC+0 which is 8pm-11pm UK time) on Friday or Sunday, W32/Sobig-F sends a UDP packet to port 8998 of a remote server. This feature could be used to download and run a Trojan or additional worm components.

To prevent malicious code from being downloaded by W32/Sobig-F, Sophos strongly recommends that customers consider configuring company firewalls so outgoing connection attempts to UDP port 8998 are blocked.

Customer should consult their firewall documentation, or contact their firewall provider for assistance in implementing this configuration change.

If the date is September 10 2003 or later the worm stops working.


Recovery
Read instructions on how to remove the W32/Sobig-F worm and ensure your system is not vulnerable to reinfection.


if your dumb enuf to open anything besides a picture from someone unknown your taking a big enuf risk :\

im not too worried

if this is going to effect ms i would guess 9pm pac. time

[pie]

k, so i got it wrong, it was MSBlast, i was thinking of SoBig because no one knew what it was. and it was midnight.

I've removed it the norton way, my own way and a few others and it likes to hide itself ever so often. and yes i shouldnt be on because my virus scanner picked it up but i need some help with somet.

[Tony G]

Erm, what timezone is this 9pm in? I may have already overstayed the time limit.

[Erwin]

I'm safe. I've the latest firewall and antivirus. Never had a virus or worm yet.

[Xenon]

i just don't click on attachments ^^

ok, i have a AV and a firewall, too but all you have to be is careful ^^